1997-05-28 15:44:22 +00:00
|
|
|
/*
|
|
|
|
* Sun RPC is a product of Sun Microsystems, Inc. and is provided for
|
|
|
|
* unrestricted use provided that this legend is included on all tape
|
|
|
|
* media and as a part of the software program in whole or part. Users
|
|
|
|
* may copy or modify Sun RPC without charge, but are not authorized
|
|
|
|
* to license or distribute it to anyone else except as part of a product or
|
|
|
|
* program developed by the user.
|
|
|
|
*
|
|
|
|
* SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
|
|
|
|
* WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
|
|
|
|
* PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
|
|
|
|
*
|
|
|
|
* Sun RPC is provided with no support and without any obligation on the
|
|
|
|
* part of Sun Microsystems, Inc. to assist in its use, correction,
|
|
|
|
* modification or enhancement.
|
|
|
|
*
|
|
|
|
* SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
|
|
|
|
* INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
|
|
|
|
* OR ANY PART THEREOF.
|
|
|
|
*
|
|
|
|
* In no event will Sun Microsystems, Inc. be liable for any lost revenue
|
|
|
|
* or profits or other special, indirect and consequential damages, even if
|
|
|
|
* Sun has been advised of the possibility of such damages.
|
|
|
|
*
|
|
|
|
* Sun Microsystems, Inc.
|
|
|
|
* 2550 Garcia Avenue
|
|
|
|
* Mountain View, California 94043
|
|
|
|
*/
|
|
|
|
|
1997-09-23 06:36:27 +00:00
|
|
|
#ifndef lint
|
|
|
|
#if 0
|
|
|
|
static char sccsid[] = "@(#)keyserv.c 1.15 94/04/25 SMI";
|
|
|
|
#endif
|
|
|
|
static const char rcsid[] =
|
1999-08-28 01:35:59 +00:00
|
|
|
"$FreeBSD$";
|
1997-09-23 06:36:27 +00:00
|
|
|
#endif /* not lint */
|
1997-05-28 15:44:22 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Copyright (c) 1986 - 1991 by Sun Microsystems, Inc.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Keyserver
|
|
|
|
* Store secret keys per uid. Do public key encryption and decryption
|
|
|
|
* operations. Generate "random" keys.
|
|
|
|
* Do not talk to anything but a local root
|
|
|
|
* process on the local transport only
|
|
|
|
*/
|
|
|
|
|
1997-09-23 06:36:27 +00:00
|
|
|
#include <err.h>
|
|
|
|
#include <pwd.h>
|
1997-05-28 15:44:22 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
1997-09-23 06:36:27 +00:00
|
|
|
#include <unistd.h>
|
1997-05-28 15:44:22 +00:00
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <rpc/rpc.h>
|
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/file.h>
|
|
|
|
#include <rpc/des_crypt.h>
|
|
|
|
#include <rpc/des.h>
|
|
|
|
#include <rpc/key_prot.h>
|
|
|
|
#include <rpcsvc/crypt.h>
|
|
|
|
#include "keyserv.h"
|
|
|
|
|
|
|
|
#ifndef NGROUPS
|
|
|
|
#define NGROUPS 16
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifndef KEYSERVSOCK
|
|
|
|
#define KEYSERVSOCK "/var/run/keyservsock"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
static void randomize __P(( des_block * ));
|
|
|
|
static void usage __P(( void ));
|
|
|
|
static int getrootkey __P(( des_block *, int ));
|
|
|
|
static int root_auth __P(( SVCXPRT *, struct svc_req * ));
|
|
|
|
|
|
|
|
#ifdef DEBUG
|
|
|
|
static int debugging = 1;
|
|
|
|
#else
|
|
|
|
static int debugging = 0;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
static void keyprogram();
|
|
|
|
static des_block masterkey;
|
|
|
|
char *getenv();
|
|
|
|
static char ROOTKEY[] = "/etc/.rootkey";
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Hack to allow the keyserver to use AUTH_DES (for authenticated
|
|
|
|
* NIS+ calls, for example). The only functions that get called
|
|
|
|
* are key_encryptsession_pk, key_decryptsession_pk, and key_gendes.
|
|
|
|
*
|
|
|
|
* The approach is to have the keyserver fill in pointers to local
|
|
|
|
* implementations of these functions, and to call those in key_call().
|
|
|
|
*/
|
|
|
|
|
|
|
|
extern cryptkeyres *(*__key_encryptsession_pk_LOCAL)();
|
|
|
|
extern cryptkeyres *(*__key_decryptsession_pk_LOCAL)();
|
|
|
|
extern des_block *(*__key_gendes_LOCAL)();
|
|
|
|
extern int (*__des_crypt_LOCAL)();
|
|
|
|
|
|
|
|
cryptkeyres *key_encrypt_pk_2_svc_prog __P(( uid_t, cryptkeyarg2 * ));
|
|
|
|
cryptkeyres *key_decrypt_pk_2_svc_prog __P(( uid_t, cryptkeyarg2 * ));
|
|
|
|
des_block *key_gen_1_svc_prog __P(( void *, struct svc_req * ));
|
|
|
|
|
|
|
|
int
|
|
|
|
main(argc, argv)
|
|
|
|
int argc;
|
|
|
|
char *argv[];
|
|
|
|
{
|
|
|
|
int nflag = 0;
|
|
|
|
int c;
|
|
|
|
int warn = 0;
|
|
|
|
char *path = NULL;
|
2002-02-06 19:15:34 +00:00
|
|
|
void *localhandle;
|
|
|
|
register SVCXPRT *transp;
|
|
|
|
struct netconfig *nconf = NULL;
|
1997-05-28 15:44:22 +00:00
|
|
|
|
|
|
|
__key_encryptsession_pk_LOCAL = &key_encrypt_pk_2_svc_prog;
|
|
|
|
__key_decryptsession_pk_LOCAL = &key_decrypt_pk_2_svc_prog;
|
|
|
|
__key_gendes_LOCAL = &key_gen_1_svc_prog;
|
|
|
|
|
|
|
|
while ((c = getopt(argc, argv, "ndDvp:")) != -1)
|
|
|
|
switch (c) {
|
|
|
|
case 'n':
|
|
|
|
nflag++;
|
|
|
|
break;
|
|
|
|
case 'd':
|
|
|
|
pk_nodefaultkeys();
|
|
|
|
break;
|
|
|
|
case 'D':
|
|
|
|
debugging = 1;
|
|
|
|
break;
|
|
|
|
case 'v':
|
|
|
|
warn = 1;
|
|
|
|
break;
|
|
|
|
case 'p':
|
|
|
|
path = optarg;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
usage();
|
|
|
|
}
|
|
|
|
|
|
|
|
load_des(warn, path);
|
|
|
|
__des_crypt_LOCAL = _my_crypt;
|
1997-09-23 06:36:27 +00:00
|
|
|
if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1)
|
|
|
|
errx(1, "failed to register AUTH_DES authenticator");
|
1997-05-28 15:44:22 +00:00
|
|
|
|
|
|
|
if (optind != argc) {
|
|
|
|
usage();
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Initialize
|
|
|
|
*/
|
2002-02-06 19:15:34 +00:00
|
|
|
(void) umask(S_IXUSR|S_IXGRP|S_IXOTH);
|
1997-09-23 06:36:27 +00:00
|
|
|
if (geteuid() != 0)
|
|
|
|
errx(1, "keyserv must be run as root");
|
1997-05-28 15:44:22 +00:00
|
|
|
setmodulus(HEXMODULUS);
|
|
|
|
getrootkey(&masterkey, nflag);
|
|
|
|
|
2002-02-06 19:15:34 +00:00
|
|
|
rpcb_unset(KEY_PROG, KEY_VERS, NULL);
|
|
|
|
rpcb_unset(KEY_PROG, KEY_VERS2, NULL);
|
|
|
|
|
Bring in a hybrid of SunSoft's transport-independent RPC (TI-RPC) and
associated changes that had to happen to make this possible as well as
bugs fixed along the way.
Bring in required TLI library routines to support this.
Since we don't support TLI we've essentially copied what NetBSD
has done, adding a thin layer to emulate direct the TLI calls
into BSD socket calls.
This is mostly from Sun's tirpc release that was made in 1994,
however some fixes were backported from the 1999 release (supposedly
only made available after this porting effort was underway).
The submitter has agreed to continue on and bring us up to the
1999 release.
Several key features are introduced with this update:
Client calls are thread safe. (1999 code has server side thread
safe)
Updated, a more modern interface.
Many userland updates were done to bring the code up to par with
the recent RPC API.
There is an update to the pthreads library, a function
pthread_main_np() was added to emulate a function of Sun's threads
library.
While we're at it, bring in NetBSD's lockd, it's been far too
long of a wait.
New rpcbind(8) replaces portmap(8) (supporting communication over
an authenticated Unix-domain socket, and by default only allowing
set and unset requests over that channel). It's much more secure
than the old portmapper.
Umount(8), mountd(8), mount_nfs(8), nfsd(8) have also been upgraded
to support TI-RPC and to support IPV6.
Umount(8) is also fixed to unmount pathnames longer than 80 chars,
which are currently truncated by the Kernel statfs structure.
Submitted by: Martin Blapp <mb@imp.ch>
Manpage review: ru
Secure RPC implemented by: wpaul
2001-03-19 12:50:13 +00:00
|
|
|
if (svc_create(keyprogram, KEY_PROG, KEY_VERS,
|
|
|
|
"netpath") == 0) {
|
|
|
|
(void) fprintf(stderr,
|
|
|
|
"%s: unable to create service\n", argv[0]);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (svc_create(keyprogram, KEY_PROG, KEY_VERS2,
|
|
|
|
"netpath") == 0) {
|
|
|
|
(void) fprintf(stderr,
|
|
|
|
"%s: unable to create service\n", argv[0]);
|
|
|
|
exit(1);
|
|
|
|
}
|
1997-05-28 15:44:22 +00:00
|
|
|
|
2002-02-06 19:15:34 +00:00
|
|
|
localhandle = setnetconfig();
|
|
|
|
while ((nconf = getnetconfig(localhandle)) != NULL) {
|
|
|
|
if (nconf->nc_protofmly != NULL &&
|
|
|
|
strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nconf == NULL)
|
|
|
|
errx(1, "getnetconfig: %s", nc_sperror());
|
|
|
|
|
|
|
|
unlink(KEYSERVSOCK);
|
|
|
|
rpcb_unset(CRYPT_PROG, CRYPT_VERS, nconf);
|
|
|
|
transp = svcunix_create(RPC_ANYSOCK, 0, 0, KEYSERVSOCK);
|
|
|
|
if (transp == NULL)
|
|
|
|
errx(1, "cannot create AF_LOCAL service");
|
|
|
|
if (!svc_reg(transp, KEY_PROG, KEY_VERS, keyprogram, nconf))
|
|
|
|
errx(1, "unable to register (KEY_PROG, KEY_VERS, unix)");
|
|
|
|
if (!svc_reg(transp, KEY_PROG, KEY_VERS2, keyprogram, nconf))
|
|
|
|
errx(1, "unable to register (KEY_PROG, KEY_VERS2, unix)");
|
|
|
|
if (!svc_reg(transp, CRYPT_PROG, CRYPT_VERS, crypt_prog_1, nconf))
|
|
|
|
errx(1, "unable to register (CRYPT_PROG, CRYPT_VERS, unix)");
|
|
|
|
|
|
|
|
endnetconfig(localhandle);
|
|
|
|
|
|
|
|
(void) umask(066); /* paranoia */
|
|
|
|
|
1997-05-28 15:44:22 +00:00
|
|
|
if (!debugging) {
|
|
|
|
daemon(0,0);
|
|
|
|
}
|
|
|
|
|
2002-02-06 19:15:34 +00:00
|
|
|
signal(SIGPIPE, SIG_IGN);
|
|
|
|
|
1997-05-28 15:44:22 +00:00
|
|
|
svc_run();
|
|
|
|
abort();
|
|
|
|
/* NOTREACHED */
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* In the event that we don't get a root password, we try to
|
|
|
|
* randomize the master key the best we can
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
randomize(master)
|
|
|
|
des_block *master;
|
|
|
|
{
|
2003-02-11 01:56:40 +00:00
|
|
|
#ifndef __FreeBSD__
|
1997-05-28 15:44:22 +00:00
|
|
|
int i;
|
|
|
|
int seed;
|
|
|
|
struct timeval tv;
|
|
|
|
int shift;
|
|
|
|
|
|
|
|
seed = 0;
|
|
|
|
for (i = 0; i < 1024; i++) {
|
|
|
|
(void) gettimeofday(&tv, (struct timezone *) NULL);
|
|
|
|
shift = i % 8 * sizeof (int);
|
|
|
|
seed ^= (tv.tv_usec << shift) | (tv.tv_usec >> (32 - shift));
|
|
|
|
}
|
2003-02-11 01:56:40 +00:00
|
|
|
#endif
|
1997-05-28 15:44:22 +00:00
|
|
|
#ifdef KEYSERV_RANDOM
|
2003-02-11 01:56:40 +00:00
|
|
|
#ifdef __FreeBSD__
|
2003-02-18 01:35:58 +00:00
|
|
|
master->key.low = arc4random();
|
|
|
|
master->key.high = arc4random();
|
2003-02-11 01:56:40 +00:00
|
|
|
#else
|
1997-05-28 15:44:22 +00:00
|
|
|
srandom(seed);
|
|
|
|
master->key.low = random();
|
|
|
|
master->key.high = random();
|
2003-02-18 01:35:58 +00:00
|
|
|
#endif
|
1997-05-28 15:44:22 +00:00
|
|
|
#else
|
|
|
|
/* use stupid dangerous bad rand() */
|
2003-02-11 01:56:40 +00:00
|
|
|
#ifdef __FreeBSD__
|
|
|
|
sranddev();
|
|
|
|
#else
|
1997-05-28 15:44:22 +00:00
|
|
|
srand(seed);
|
2003-02-11 01:56:40 +00:00
|
|
|
#endif
|
1997-05-28 15:44:22 +00:00
|
|
|
master->key.low = rand();
|
|
|
|
master->key.high = rand();
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Try to get root's secret key, by prompting if terminal is a tty, else trying
|
|
|
|
* from standard input.
|
|
|
|
* Returns 1 on success.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
getrootkey(master, prompt)
|
|
|
|
des_block *master;
|
|
|
|
int prompt;
|
|
|
|
{
|
|
|
|
char *passwd;
|
|
|
|
char name[MAXNETNAMELEN + 1];
|
|
|
|
char secret[HEXKEYBYTES];
|
|
|
|
key_netstarg netstore;
|
|
|
|
int fd;
|
|
|
|
|
|
|
|
if (!prompt) {
|
|
|
|
/*
|
|
|
|
* Read secret key out of ROOTKEY
|
|
|
|
*/
|
|
|
|
fd = open(ROOTKEY, O_RDONLY, 0);
|
|
|
|
if (fd < 0) {
|
|
|
|
randomize(master);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
if (read(fd, secret, HEXKEYBYTES) < HEXKEYBYTES) {
|
1997-09-23 06:36:27 +00:00
|
|
|
warnx("the key read from %s was too short", ROOTKEY);
|
1997-05-28 15:44:22 +00:00
|
|
|
(void) close(fd);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
(void) close(fd);
|
|
|
|
if (!getnetname(name)) {
|
1997-09-23 06:36:27 +00:00
|
|
|
warnx(
|
|
|
|
"failed to generate host's netname when establishing root's key");
|
1997-05-28 15:44:22 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
memcpy(netstore.st_priv_key, secret, HEXKEYBYTES);
|
|
|
|
memset(netstore.st_pub_key, 0, HEXKEYBYTES);
|
|
|
|
netstore.st_netname = name;
|
|
|
|
if (pk_netput(0, &netstore) != KEY_SUCCESS) {
|
1997-09-23 06:36:27 +00:00
|
|
|
warnx("could not set root's key and netname");
|
1997-05-28 15:44:22 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
return (1);
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Decrypt yellow pages publickey entry to get secret key
|
|
|
|
*/
|
|
|
|
passwd = getpass("root password:");
|
|
|
|
passwd2des(passwd, (char *)master);
|
|
|
|
getnetname(name);
|
|
|
|
if (!getsecretkey(name, secret, passwd)) {
|
1997-09-23 06:36:27 +00:00
|
|
|
warnx("can't find %s's secret key", name);
|
1997-05-28 15:44:22 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
if (secret[0] == 0) {
|
1997-09-23 06:36:27 +00:00
|
|
|
warnx("password does not decrypt secret key for %s", name);
|
1997-05-28 15:44:22 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
(void) pk_setkey(0, secret);
|
|
|
|
/*
|
|
|
|
* Store it for future use in $ROOTKEY, if possible
|
|
|
|
*/
|
|
|
|
fd = open(ROOTKEY, O_WRONLY|O_TRUNC|O_CREAT, 0);
|
|
|
|
if (fd > 0) {
|
|
|
|
char newline = '\n';
|
|
|
|
|
|
|
|
write(fd, secret, strlen(secret));
|
|
|
|
write(fd, &newline, sizeof (newline));
|
|
|
|
close(fd);
|
|
|
|
}
|
|
|
|
return (1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Procedures to implement RPC service
|
|
|
|
*/
|
|
|
|
char *
|
|
|
|
strstatus(status)
|
|
|
|
keystatus status;
|
|
|
|
{
|
|
|
|
switch (status) {
|
|
|
|
case KEY_SUCCESS:
|
|
|
|
return ("KEY_SUCCESS");
|
|
|
|
case KEY_NOSECRET:
|
|
|
|
return ("KEY_NOSECRET");
|
|
|
|
case KEY_UNKNOWN:
|
|
|
|
return ("KEY_UNKNOWN");
|
|
|
|
case KEY_SYSTEMERR:
|
|
|
|
return ("KEY_SYSTEMERR");
|
|
|
|
default:
|
|
|
|
return ("(bad result code)");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
keystatus *
|
|
|
|
key_set_1_svc_prog(uid, key)
|
|
|
|
uid_t uid;
|
|
|
|
keybuf key;
|
|
|
|
{
|
|
|
|
static keystatus status;
|
|
|
|
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr, "set(%ld, %.*s) = ", uid,
|
|
|
|
(int) sizeof (keybuf), key);
|
|
|
|
}
|
|
|
|
status = pk_setkey(uid, key);
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr, "%s\n", strstatus(status));
|
|
|
|
(void) fflush(stderr);
|
|
|
|
}
|
|
|
|
return (&status);
|
|
|
|
}
|
|
|
|
|
|
|
|
cryptkeyres *
|
|
|
|
key_encrypt_pk_2_svc_prog(uid, arg)
|
|
|
|
uid_t uid;
|
|
|
|
cryptkeyarg2 *arg;
|
|
|
|
{
|
|
|
|
static cryptkeyres res;
|
|
|
|
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid,
|
|
|
|
arg->remotename, arg->deskey.key.high,
|
|
|
|
arg->deskey.key.low);
|
|
|
|
}
|
|
|
|
res.cryptkeyres_u.deskey = arg->deskey;
|
|
|
|
res.status = pk_encrypt(uid, arg->remotename, &(arg->remotekey),
|
|
|
|
&res.cryptkeyres_u.deskey);
|
|
|
|
if (debugging) {
|
|
|
|
if (res.status == KEY_SUCCESS) {
|
|
|
|
(void) fprintf(stderr, "%08x%08x\n",
|
|
|
|
res.cryptkeyres_u.deskey.key.high,
|
|
|
|
res.cryptkeyres_u.deskey.key.low);
|
|
|
|
} else {
|
|
|
|
(void) fprintf(stderr, "%s\n", strstatus(res.status));
|
|
|
|
}
|
|
|
|
(void) fflush(stderr);
|
|
|
|
}
|
|
|
|
return (&res);
|
|
|
|
}
|
|
|
|
|
|
|
|
cryptkeyres *
|
|
|
|
key_decrypt_pk_2_svc_prog(uid, arg)
|
|
|
|
uid_t uid;
|
|
|
|
cryptkeyarg2 *arg;
|
|
|
|
{
|
|
|
|
static cryptkeyres res;
|
|
|
|
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid,
|
|
|
|
arg->remotename, arg->deskey.key.high,
|
|
|
|
arg->deskey.key.low);
|
|
|
|
}
|
|
|
|
res.cryptkeyres_u.deskey = arg->deskey;
|
|
|
|
res.status = pk_decrypt(uid, arg->remotename, &(arg->remotekey),
|
|
|
|
&res.cryptkeyres_u.deskey);
|
|
|
|
if (debugging) {
|
|
|
|
if (res.status == KEY_SUCCESS) {
|
|
|
|
(void) fprintf(stderr, "%08x%08x\n",
|
|
|
|
res.cryptkeyres_u.deskey.key.high,
|
|
|
|
res.cryptkeyres_u.deskey.key.low);
|
|
|
|
} else {
|
|
|
|
(void) fprintf(stderr, "%s\n", strstatus(res.status));
|
|
|
|
}
|
|
|
|
(void) fflush(stderr);
|
|
|
|
}
|
|
|
|
return (&res);
|
|
|
|
}
|
|
|
|
|
|
|
|
keystatus *
|
|
|
|
key_net_put_2_svc_prog(uid, arg)
|
|
|
|
uid_t uid;
|
|
|
|
key_netstarg *arg;
|
|
|
|
{
|
|
|
|
static keystatus status;
|
|
|
|
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr, "net_put(%s, %.*s, %.*s) = ",
|
|
|
|
arg->st_netname, (int)sizeof (arg->st_pub_key),
|
|
|
|
arg->st_pub_key, (int)sizeof (arg->st_priv_key),
|
|
|
|
arg->st_priv_key);
|
|
|
|
};
|
|
|
|
|
|
|
|
status = pk_netput(uid, arg);
|
|
|
|
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr, "%s\n", strstatus(status));
|
|
|
|
(void) fflush(stderr);
|
|
|
|
}
|
|
|
|
|
|
|
|
return (&status);
|
|
|
|
}
|
|
|
|
|
|
|
|
key_netstres *
|
|
|
|
key_net_get_2_svc_prog(uid, arg)
|
|
|
|
uid_t uid;
|
|
|
|
void *arg;
|
|
|
|
{
|
|
|
|
static key_netstres keynetname;
|
|
|
|
|
|
|
|
if (debugging)
|
|
|
|
(void) fprintf(stderr, "net_get(%ld) = ", uid);
|
|
|
|
|
|
|
|
keynetname.status = pk_netget(uid, &keynetname.key_netstres_u.knet);
|
|
|
|
if (debugging) {
|
|
|
|
if (keynetname.status == KEY_SUCCESS) {
|
|
|
|
fprintf(stderr, "<%s, %.*s, %.*s>\n",
|
|
|
|
keynetname.key_netstres_u.knet.st_netname,
|
|
|
|
(int)sizeof (keynetname.key_netstres_u.knet.st_pub_key),
|
|
|
|
keynetname.key_netstres_u.knet.st_pub_key,
|
|
|
|
(int)sizeof (keynetname.key_netstres_u.knet.st_priv_key),
|
|
|
|
keynetname.key_netstres_u.knet.st_priv_key);
|
|
|
|
} else {
|
|
|
|
(void) fprintf(stderr, "NOT FOUND\n");
|
|
|
|
}
|
|
|
|
(void) fflush(stderr);
|
|
|
|
}
|
|
|
|
|
|
|
|
return (&keynetname);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
cryptkeyres *
|
|
|
|
key_get_conv_2_svc_prog(uid, arg)
|
|
|
|
uid_t uid;
|
|
|
|
keybuf arg;
|
|
|
|
{
|
|
|
|
static cryptkeyres res;
|
|
|
|
|
|
|
|
if (debugging)
|
|
|
|
(void) fprintf(stderr, "get_conv(%ld, %.*s) = ", uid,
|
|
|
|
(int)sizeof (arg), arg);
|
|
|
|
|
|
|
|
|
|
|
|
res.status = pk_get_conv_key(uid, arg, &res);
|
|
|
|
|
|
|
|
if (debugging) {
|
|
|
|
if (res.status == KEY_SUCCESS) {
|
|
|
|
(void) fprintf(stderr, "%08x%08x\n",
|
|
|
|
res.cryptkeyres_u.deskey.key.high,
|
|
|
|
res.cryptkeyres_u.deskey.key.low);
|
|
|
|
} else {
|
|
|
|
(void) fprintf(stderr, "%s\n", strstatus(res.status));
|
|
|
|
}
|
|
|
|
(void) fflush(stderr);
|
|
|
|
}
|
|
|
|
return (&res);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
cryptkeyres *
|
|
|
|
key_encrypt_1_svc_prog(uid, arg)
|
|
|
|
uid_t uid;
|
|
|
|
cryptkeyarg *arg;
|
|
|
|
{
|
|
|
|
static cryptkeyres res;
|
|
|
|
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid,
|
|
|
|
arg->remotename, arg->deskey.key.high,
|
|
|
|
arg->deskey.key.low);
|
|
|
|
}
|
|
|
|
res.cryptkeyres_u.deskey = arg->deskey;
|
|
|
|
res.status = pk_encrypt(uid, arg->remotename, NULL,
|
|
|
|
&res.cryptkeyres_u.deskey);
|
|
|
|
if (debugging) {
|
|
|
|
if (res.status == KEY_SUCCESS) {
|
|
|
|
(void) fprintf(stderr, "%08x%08x\n",
|
|
|
|
res.cryptkeyres_u.deskey.key.high,
|
|
|
|
res.cryptkeyres_u.deskey.key.low);
|
|
|
|
} else {
|
|
|
|
(void) fprintf(stderr, "%s\n", strstatus(res.status));
|
|
|
|
}
|
|
|
|
(void) fflush(stderr);
|
|
|
|
}
|
|
|
|
return (&res);
|
|
|
|
}
|
|
|
|
|
|
|
|
cryptkeyres *
|
|
|
|
key_decrypt_1_svc_prog(uid, arg)
|
|
|
|
uid_t uid;
|
|
|
|
cryptkeyarg *arg;
|
|
|
|
{
|
|
|
|
static cryptkeyres res;
|
|
|
|
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid,
|
|
|
|
arg->remotename, arg->deskey.key.high,
|
|
|
|
arg->deskey.key.low);
|
|
|
|
}
|
|
|
|
res.cryptkeyres_u.deskey = arg->deskey;
|
|
|
|
res.status = pk_decrypt(uid, arg->remotename, NULL,
|
|
|
|
&res.cryptkeyres_u.deskey);
|
|
|
|
if (debugging) {
|
|
|
|
if (res.status == KEY_SUCCESS) {
|
|
|
|
(void) fprintf(stderr, "%08x%08x\n",
|
|
|
|
res.cryptkeyres_u.deskey.key.high,
|
|
|
|
res.cryptkeyres_u.deskey.key.low);
|
|
|
|
} else {
|
|
|
|
(void) fprintf(stderr, "%s\n", strstatus(res.status));
|
|
|
|
}
|
|
|
|
(void) fflush(stderr);
|
|
|
|
}
|
|
|
|
return (&res);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ARGSUSED */
|
|
|
|
des_block *
|
|
|
|
key_gen_1_svc_prog(v, s)
|
|
|
|
void *v;
|
|
|
|
struct svc_req *s;
|
|
|
|
{
|
|
|
|
struct timeval time;
|
|
|
|
static des_block keygen;
|
|
|
|
static des_block key;
|
|
|
|
|
|
|
|
(void) gettimeofday(&time, (struct timezone *) NULL);
|
|
|
|
keygen.key.high += (time.tv_sec ^ time.tv_usec);
|
|
|
|
keygen.key.low += (time.tv_sec ^ time.tv_usec);
|
|
|
|
ecb_crypt((char *)&masterkey, (char *)&keygen, sizeof (keygen),
|
|
|
|
DES_ENCRYPT | DES_HW);
|
|
|
|
key = keygen;
|
|
|
|
des_setparity((char *)&key);
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr, "gen() = %08x%08x\n", key.key.high,
|
|
|
|
key.key.low);
|
|
|
|
(void) fflush(stderr);
|
|
|
|
}
|
|
|
|
return (&key);
|
|
|
|
}
|
|
|
|
|
|
|
|
getcredres *
|
|
|
|
key_getcred_1_svc_prog(uid, name)
|
|
|
|
uid_t uid;
|
|
|
|
netnamestr *name;
|
|
|
|
{
|
|
|
|
static getcredres res;
|
|
|
|
static u_int gids[NGROUPS];
|
|
|
|
struct unixcred *cred;
|
|
|
|
|
|
|
|
cred = &res.getcredres_u.cred;
|
|
|
|
cred->gids.gids_val = gids;
|
|
|
|
if (!netname2user(*name, (uid_t *) &cred->uid, (gid_t *) &cred->gid,
|
|
|
|
(int *)&cred->gids.gids_len, (gid_t *)gids)) {
|
|
|
|
res.status = KEY_UNKNOWN;
|
|
|
|
} else {
|
|
|
|
res.status = KEY_SUCCESS;
|
|
|
|
}
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr, "getcred(%s) = ", *name);
|
|
|
|
if (res.status == KEY_SUCCESS) {
|
|
|
|
(void) fprintf(stderr, "uid=%d, gid=%d, grouplen=%d\n",
|
|
|
|
cred->uid, cred->gid, cred->gids.gids_len);
|
|
|
|
} else {
|
|
|
|
(void) fprintf(stderr, "%s\n", strstatus(res.status));
|
|
|
|
}
|
|
|
|
(void) fflush(stderr);
|
|
|
|
}
|
|
|
|
return (&res);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* RPC boilerplate
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
keyprogram(rqstp, transp)
|
|
|
|
struct svc_req *rqstp;
|
|
|
|
SVCXPRT *transp;
|
|
|
|
{
|
|
|
|
union {
|
|
|
|
keybuf key_set_1_arg;
|
|
|
|
cryptkeyarg key_encrypt_1_arg;
|
|
|
|
cryptkeyarg key_decrypt_1_arg;
|
|
|
|
netnamestr key_getcred_1_arg;
|
|
|
|
cryptkeyarg key_encrypt_2_arg;
|
|
|
|
cryptkeyarg key_decrypt_2_arg;
|
|
|
|
netnamestr key_getcred_2_arg;
|
|
|
|
cryptkeyarg2 key_encrypt_pk_2_arg;
|
|
|
|
cryptkeyarg2 key_decrypt_pk_2_arg;
|
|
|
|
key_netstarg key_net_put_2_arg;
|
|
|
|
netobj key_get_conv_2_arg;
|
|
|
|
} argument;
|
|
|
|
char *result;
|
2002-04-28 15:18:50 +00:00
|
|
|
xdrproc_t xdr_argument, xdr_result;
|
1997-05-28 15:44:22 +00:00
|
|
|
char *(*local) ();
|
|
|
|
uid_t uid = -1;
|
|
|
|
int check_auth;
|
|
|
|
|
|
|
|
switch (rqstp->rq_proc) {
|
|
|
|
case NULLPROC:
|
2002-04-28 15:18:50 +00:00
|
|
|
svc_sendreply(transp, (xdrproc_t)xdr_void, NULL);
|
1997-05-28 15:44:22 +00:00
|
|
|
return;
|
|
|
|
|
|
|
|
case KEY_SET:
|
2002-04-28 15:18:50 +00:00
|
|
|
xdr_argument = (xdrproc_t)xdr_keybuf;
|
|
|
|
xdr_result = (xdrproc_t)xdr_int;
|
1997-05-28 15:44:22 +00:00
|
|
|
local = (char *(*)()) key_set_1_svc_prog;
|
|
|
|
check_auth = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case KEY_ENCRYPT:
|
2002-04-28 15:18:50 +00:00
|
|
|
xdr_argument = (xdrproc_t)xdr_cryptkeyarg;
|
|
|
|
xdr_result = (xdrproc_t)xdr_cryptkeyres;
|
1997-05-28 15:44:22 +00:00
|
|
|
local = (char *(*)()) key_encrypt_1_svc_prog;
|
|
|
|
check_auth = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case KEY_DECRYPT:
|
2002-04-28 15:18:50 +00:00
|
|
|
xdr_argument = (xdrproc_t)xdr_cryptkeyarg;
|
|
|
|
xdr_result = (xdrproc_t)xdr_cryptkeyres;
|
1997-05-28 15:44:22 +00:00
|
|
|
local = (char *(*)()) key_decrypt_1_svc_prog;
|
|
|
|
check_auth = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case KEY_GEN:
|
2002-04-28 15:18:50 +00:00
|
|
|
xdr_argument = (xdrproc_t)xdr_void;
|
|
|
|
xdr_result = (xdrproc_t)xdr_des_block;
|
1997-05-28 15:44:22 +00:00
|
|
|
local = (char *(*)()) key_gen_1_svc_prog;
|
|
|
|
check_auth = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case KEY_GETCRED:
|
2002-04-28 15:18:50 +00:00
|
|
|
xdr_argument = (xdrproc_t)xdr_netnamestr;
|
|
|
|
xdr_result = (xdrproc_t)xdr_getcredres;
|
1997-05-28 15:44:22 +00:00
|
|
|
local = (char *(*)()) key_getcred_1_svc_prog;
|
|
|
|
check_auth = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case KEY_ENCRYPT_PK:
|
2002-04-28 15:18:50 +00:00
|
|
|
xdr_argument = (xdrproc_t)xdr_cryptkeyarg2;
|
|
|
|
xdr_result = (xdrproc_t)xdr_cryptkeyres;
|
1997-05-28 15:44:22 +00:00
|
|
|
local = (char *(*)()) key_encrypt_pk_2_svc_prog;
|
|
|
|
check_auth = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case KEY_DECRYPT_PK:
|
2002-04-28 15:18:50 +00:00
|
|
|
xdr_argument = (xdrproc_t)xdr_cryptkeyarg2;
|
|
|
|
xdr_result = (xdrproc_t)xdr_cryptkeyres;
|
1997-05-28 15:44:22 +00:00
|
|
|
local = (char *(*)()) key_decrypt_pk_2_svc_prog;
|
|
|
|
check_auth = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case KEY_NET_PUT:
|
2002-04-28 15:18:50 +00:00
|
|
|
xdr_argument = (xdrproc_t)xdr_key_netstarg;
|
|
|
|
xdr_result = (xdrproc_t)xdr_keystatus;
|
1997-05-28 15:44:22 +00:00
|
|
|
local = (char *(*)()) key_net_put_2_svc_prog;
|
|
|
|
check_auth = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case KEY_NET_GET:
|
|
|
|
xdr_argument = (xdrproc_t) xdr_void;
|
2002-04-28 15:18:50 +00:00
|
|
|
xdr_result = (xdrproc_t)xdr_key_netstres;
|
1997-05-28 15:44:22 +00:00
|
|
|
local = (char *(*)()) key_net_get_2_svc_prog;
|
|
|
|
check_auth = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case KEY_GET_CONV:
|
|
|
|
xdr_argument = (xdrproc_t) xdr_keybuf;
|
2002-04-28 15:18:50 +00:00
|
|
|
xdr_result = (xdrproc_t)xdr_cryptkeyres;
|
1997-05-28 15:44:22 +00:00
|
|
|
local = (char *(*)()) key_get_conv_2_svc_prog;
|
|
|
|
check_auth = 1;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
svcerr_noproc(transp);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
if (check_auth) {
|
|
|
|
if (root_auth(transp, rqstp) == 0) {
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr,
|
|
|
|
"not local privileged process\n");
|
|
|
|
}
|
|
|
|
svcerr_weakauth(transp);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
if (rqstp->rq_cred.oa_flavor != AUTH_SYS) {
|
|
|
|
if (debugging) {
|
|
|
|
(void) fprintf(stderr,
|
|
|
|
"not unix authentication\n");
|
|
|
|
}
|
|
|
|
svcerr_weakauth(transp);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
uid = ((struct authsys_parms *)rqstp->rq_clntcred)->aup_uid;
|
|
|
|
}
|
|
|
|
|
2002-04-28 15:18:50 +00:00
|
|
|
memset(&argument, 0, sizeof (argument));
|
|
|
|
if (!svc_getargs(transp, xdr_argument, &argument)) {
|
1997-05-28 15:44:22 +00:00
|
|
|
svcerr_decode(transp);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
result = (*local) (uid, &argument);
|
2002-04-28 15:18:50 +00:00
|
|
|
if (!svc_sendreply(transp, xdr_result, result)) {
|
1997-05-28 15:44:22 +00:00
|
|
|
if (debugging)
|
|
|
|
(void) fprintf(stderr, "unable to reply\n");
|
|
|
|
svcerr_systemerr(transp);
|
|
|
|
}
|
2002-04-28 15:18:50 +00:00
|
|
|
if (!svc_freeargs(transp, xdr_argument, &argument)) {
|
1997-05-28 15:44:22 +00:00
|
|
|
if (debugging)
|
|
|
|
(void) fprintf(stderr,
|
|
|
|
"unable to free arguments\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
root_auth(trans, rqstp)
|
|
|
|
SVCXPRT *trans;
|
|
|
|
struct svc_req *rqstp;
|
|
|
|
{
|
|
|
|
uid_t uid;
|
2002-07-15 18:51:57 +00:00
|
|
|
struct sockaddr *remote;
|
1997-05-28 15:44:22 +00:00
|
|
|
|
2002-07-15 18:51:57 +00:00
|
|
|
remote = svc_getrpccaller(trans)->buf;
|
|
|
|
if (remote->sa_family != AF_UNIX) {
|
1997-05-28 15:44:22 +00:00
|
|
|
if (debugging)
|
|
|
|
fprintf(stderr, "client didn't use AF_UNIX\n");
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2001-03-22 04:31:30 +00:00
|
|
|
if (__rpc_get_local_uid(trans, &uid) < 0) {
|
1997-05-28 15:44:22 +00:00
|
|
|
if (debugging)
|
|
|
|
fprintf(stderr, "__rpc_get_local_uid failed\n");
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (debugging)
|
|
|
|
fprintf(stderr, "local_uid %ld\n", uid);
|
|
|
|
if (uid == 0)
|
|
|
|
return (1);
|
|
|
|
if (rqstp->rq_cred.oa_flavor == AUTH_SYS) {
|
|
|
|
if (((uid_t) ((struct authunix_parms *)
|
|
|
|
rqstp->rq_clntcred)->aup_uid)
|
|
|
|
== uid) {
|
|
|
|
return (1);
|
|
|
|
} else {
|
|
|
|
if (debugging)
|
|
|
|
fprintf(stderr,
|
|
|
|
"local_uid %ld mismatches auth %ld\n", uid,
|
|
|
|
((uid_t) ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid));
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (debugging)
|
|
|
|
fprintf(stderr, "Not auth sys\n");
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
usage()
|
|
|
|
{
|
|
|
|
(void) fprintf(stderr,
|
|
|
|
"usage: keyserv [-n] [-D] [-d] [-v] [-p path]\n");
|
|
|
|
(void) fprintf(stderr, "-d disables the use of default keys\n");
|
|
|
|
exit(1);
|
|
|
|
}
|