4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
27 * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
30 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
31 /* All Rights Reserved */
34 * Portions of this source code were derived from Berkeley 4.3 BSD
35 * under license from the Regents of the University of California.
42 * Public and Private (secret) key lookup routines. These functions
43 * are used by the secure RPC auth_des flavor to get the public and
44 * private keys for secure RPC principals. Originally designed to
45 * talk only to YP, AT&T modified them to talk to files, and now
46 * they can also talk to NIS+. The policy for these lookups is now
47 * defined in terms of the nameservice switch as follows :
48 * publickey: nis files
58 #include <sys/types.h>
62 #include <rpc/key_prot.h>
63 #include <rpcsvc/nis.h>
64 #include <rpcsvc/ypclnt.h>
65 #include <rpcsvc/nis_dhext.h>
68 #include <nss_dbdefs.h>
71 static const char *PKMAP
= "publickey.byname";
72 static const char *PKFILE
= "/etc/publickey";
73 static const char dh_caps_str
[] = "DH";
74 static const char des_caps_str
[] = AUTH_DES_AUTH_TYPE
;
76 static char *netname2hashname(const char *, char *, int, keylen_t
,
79 #define WORKBUFSIZE 1024
81 extern int xdecrypt();
83 extern int __yp_match_cflookup(char *, char *, char *, int, char **,
88 * default publickey policy:
89 * publickey: nis [NOTFOUND = return] files
93 /* NSW_NOTSUCCESS NSW_NOTFOUND NSW_UNAVAIL NSW_TRYAGAIN */
94 #define DEF_ACTION {__NSW_RETURN, __NSW_RETURN, __NSW_CONTINUE, __NSW_CONTINUE}
96 static struct __nsw_lookup lookup_files
= {"files", DEF_ACTION
, NULL
, NULL
},
97 lookup_nis
= {"nis", DEF_ACTION
, NULL
, &lookup_files
};
98 static struct __nsw_switchconfig publickey_default
=
99 {0, "publickey", 2, &lookup_nis
};
105 extern mutex_t serialize_pkey
;
107 static int extract_secret();
110 * db_root is used for switch backends.
112 static DEFINE_NSS_DB_ROOT(db_root
);
119 str2key(const char *instr
, int lenstr
,
120 void *ent
, char *buffer
, int buflen
) {
121 if (lenstr
+ 1 > buflen
)
122 return (NSS_STR_PARSE_ERANGE
);
124 * We copy the input string into the output buffer
126 (void) memcpy(buffer
, instr
, lenstr
);
127 buffer
[lenstr
] = '\0';
129 return (NSS_STR_PARSE_SUCCESS
);
132 * These functions are the "backends" for the switch for public keys. They
133 * get both the public and private keys from each of the supported name
134 * services (nis, files). They are passed the appropriate parameters
135 * and return 0 if unsuccessful with *errp set, or 1 when they got just the
136 * public key and 3 when they got both the public and private keys.
141 * Internal implementation of getpublickey() using NIS (aka Yellow Pages,
144 * NOTE : *** this function returns nsswitch codes and _not_ the
145 * value returned by getpublickey.
148 getkeys_nis(int *errp
, char *netname
, char *pkey
, char *skey
, char *passwd
)
152 int keylen
, err
, r
= 0;
156 p
= strchr(netname
, '@');
158 *errp
= __NSW_UNAVAIL
;
166 * Instead of calling yp_match(), we use __yp_match_cflookup() here
167 * which has time-out control for the binding operation to nis
170 err
= __yp_match_cflookup(domain
, (char *)PKMAP
, netname
,
171 strlen(netname
), &keyval
, &keylen
, 0);
176 *errp
= __NSW_NOTFOUND
;
180 *errp
= __NSW_UNAVAIL
;
186 p
= strchr(keyval
, ':');
189 *errp
= __NSW_NOTFOUND
;
194 len
= strlen(keyval
);
195 if (len
> HEXKEYBYTES
) {
197 *errp
= __NSW_NOTFOUND
;
200 (void) strcpy(pkey
, keyval
);
204 if (skey
&& extract_secret(p
, skey
, passwd
))
207 *errp
= __NSW_SUCCESS
;
214 * The files version of getpublickey. This function attempts to
215 * get the publickey from the file PKFILE .
217 * This function defines the format of the /etc/publickey file to
219 * netname <whitespace> publickey:privatekey
221 * NOTE : *** this function returns nsswitch codes and _not_ the
222 * value returned by getpublickey.
226 getkeys_files(int *errp
, char *netname
, char *pkey
, char *skey
, char *passwd
)
230 char buf
[WORKBUFSIZE
];
237 fd
= fopen(PKFILE
, "rF");
239 *errp
= __NSW_UNAVAIL
;
243 /* Search through the file linearly :-( */
244 while ((res
= fgets(buf
, WORKBUFSIZE
, fd
)) != NULL
) {
246 if ((res
[0] == '#') || (res
[0] == '\n'))
249 mkey
= strtok_r(buf
, "\t ", &lasts
);
252 "getpublickey: Bad record in %s for %s",
256 mval
= strtok_r(NULL
, " \t#\n", &lasts
);
259 "getpublickey: Bad record in %s for %s",
263 /* NOTE : Case insensitive compare. */
264 if (strcasecmp(mkey
, netname
) == 0) {
265 p
= strchr(mval
, ':');
268 "getpublickey: Bad record in %s for %s",
275 int len
= strlen(mval
);
277 if (len
> HEXKEYBYTES
) {
279 "getpublickey: Bad record in %s for %s",
283 (void) strcpy(pkey
, mval
);
287 if (skey
&& extract_secret(p
, skey
, passwd
))
290 *errp
= __NSW_SUCCESS
;
297 *errp
= __NSW_NOTFOUND
;
302 * getpublickey(netname, key)
304 * This is the actual exported interface for this function.
308 __getpublickey_cached(char *netname
, char *pkey
, int *from_cache
)
310 return (__getpublickey_cached_g(netname
, KEYSIZE
, 0, pkey
,
311 HEXKEYBYTES
+1, from_cache
));
315 getpublickey(const char *netname
, char *pkey
)
317 return (__getpublickey_cached((char *)netname
, pkey
, (int *)0));
321 __getpublickey_flush(const char *netname
)
323 __getpublickey_flush_g(netname
, 192, 0);
327 getsecretkey(const char *netname
, char *skey
, const char *passwd
)
329 return (getsecretkey_g(netname
, KEYSIZE
, 0, skey
, HEXKEYBYTES
+1,
334 * Routines to cache publickeys.
339 * Generic DH (any size keys) version of extract_secret.
344 char *private, /* out */
346 char *passwd
, /* in */
347 char *netname
, /* in */
348 keylen_t keylen
, /* in */
349 algtype_t algtype
) /* in */
358 * This generic function will extract the private key
359 * from a string using the given password. Note that
360 * it uses the DES based function xdecrypt()
363 extract_secret(char *raw
, char *private, char *passwd
)
365 return (extract_secret_g(raw
, private, HEXKEYBYTES
+1, passwd
,
372 * Fetches the key pair from LDAP. This version handles any size
377 _nss_initf_publickey(nss_db_params_t
*p
)
379 p
->name
= NSS_DBNAM_PUBLICKEY
;
380 p
->default_config
= NSS_DEFCONF_PUBLICKEY
;
387 char *netname
, /* in */
388 char *pkey
, /* out */
389 int pkeylen
, /* in */
390 char *skey
, /* out */
391 int skeylen
, /* in */
392 char *passwd
, /* in */
393 keylen_t keylen
, /* in */
394 algtype_t algtype
) /* in */
398 char keytypename
[NIS_MAXNAMELEN
+1];
400 const bool_t classic_des
= AUTH_DES_KEY(keylen
, algtype
);
403 nss_XbyY_buf_t
*buf
= NULL
;
406 NSS_XbyY_ALLOC(&buf
, 0, NSS_BUFLEN_PUBLICKEY
);
408 NSS_XbyY_INIT(&arg
, buf
->result
, buf
->buffer
, buf
->buflen
, str2key
);
409 arg
.key
.pkey
.name
= netname
;
412 * LDAP stores the public and secret key info in entries using
413 * nisKeyObject objectclass. Each key is tagged with the
414 * keytype, keylength, and algorithm. The tag has the following
415 * format: {<keytype><keylength>-<algorithm>}. For example,
419 (void) strcpy(keytypename
, "{DH192-0}");
421 (void) sprintf(keytypename
, "{%s%d-%d}",
422 dh_caps_str
, keylen
, algtype
);
423 arg
.key
.pkey
.keytype
= keytypename
;
425 if (nss_search(&db_root
, _nss_initf_publickey
, NSS_DBOP_KEYS_BYNAME
,
426 &arg
) != NSS_SUCCESS
) {
428 *err
= __NSW_NOTFOUND
;
431 keyval
= buf
->buffer
;
432 p
= strchr(keyval
, ':');
435 *err
= __NSW_NOTFOUND
;
440 len
= strlen(keyval
);
441 if (len
> HEXKEYBYTES
) {
443 *err
= __NSW_NOTFOUND
;
446 (void) strcpy(pkey
, keyval
);
450 if (skey
&& extract_secret(p
, skey
, passwd
))
453 *err
= __NSW_SUCCESS
;
459 * Convert a netname to a name we will hash on. For classic_des,
460 * just copy netname as is. But for new and improved ("now in
461 * new longer sizes!") DHEXT, add a ":keylen-algtype" suffix to hash on.
463 * Returns the hashname string on success or NULL on failure.
473 const bool_t classic_des
= AUTH_DES_KEY(keylen
, algtype
);
475 if (!netname
|| !hashname
|| !bufsiz
)
479 if (bufsiz
> strlen(netname
))
480 (void) strcpy(hashname
, netname
);
485 (void) sprintf(tmp
, ":%d-%d", keylen
, algtype
);
486 if (bufsiz
> (strlen(netname
) + strlen(tmp
)))
487 (void) sprintf(hashname
, "%s%s", netname
, tmp
);
496 * Flush netname's publickey of the given key length and algorithm type.
499 __getpublickey_flush_g(const char *netname
, keylen_t keylen
, algtype_t algtype
)
501 char *p
, hashname
[MAXNETNAMELEN
+1];
502 p
= netname2hashname(netname
, hashname
, MAXNETNAMELEN
, keylen
, algtype
);
506 * Generic DH (any size keys) version of __getpublickey_cached.
509 __getpublickey_cached_g(const char netname
[], /* in */
510 keylen_t keylen
, /* in */
511 algtype_t algtype
, /* in */
512 char *pkey
, /* out */
513 size_t pkeylen
, /* in */
514 int *from_cache
) /* in/out */
516 int needfree
= 1, res
, err
;
517 struct __nsw_switchconfig
*conf
;
518 struct __nsw_lookup
*look
;
519 enum __nsw_parse_err perr
;
520 const bool_t classic_des
= AUTH_DES_KEY(keylen
, algtype
);
523 if (!netname
|| !pkey
)
526 conf
= __nsw_getconfig("publickey", &perr
);
528 conf
= &publickey_default
;
531 for (look
= conf
->lookups
; look
; look
= look
->next
) {
532 if (strcmp(look
->service_name
, "ldap") == 0) {
533 res
= getkeys_ldap_g(&err
, (char *)netname
,
534 pkey
, pkeylen
, NULL
, 0, NULL
,
536 /* long DH keys will not be in nis or files */
537 } else if (classic_des
&&
538 strcmp(look
->service_name
, "nis") == 0)
539 res
= getkeys_nis(&err
, (char *)netname
, pkey
,
541 else if (classic_des
&&
542 strcmp(look
->service_name
, "files") == 0)
543 res
= getkeys_files(&err
, (char *)netname
, pkey
,
546 syslog(LOG_INFO
, "Unknown publickey nameservice '%s'",
552 switch (look
->actions
[err
]) {
553 case __NSW_CONTINUE
:
557 __nsw_freeconfig(conf
);
558 return ((res
& 1) != 0);
560 syslog(LOG_INFO
, "Unknown action for nameservice %s",
566 __nsw_freeconfig(conf
);
573 * Generic (all sizes) DH version of getpublickey.
577 const char *netname
, /* in */
579 int algtype
, /* in */
580 char *pkey
, /* out */
581 size_t pkeylen
) /* in */
583 return (__getpublickey_cached_g(netname
, keylen
, algtype
, pkey
,
588 * Generic (all sizes) DH version of getsecretkey_g.
592 const char *netname
, /* in */
593 keylen_t keylen
, /* in */
594 algtype_t algtype
, /* in */
595 char *skey
, /* out */
596 size_t skeylen
, /* in */
597 const char *passwd
) /* in */
599 int needfree
= 1, res
, err
;
600 struct __nsw_switchconfig
*conf
;
601 struct __nsw_lookup
*look
;
602 enum __nsw_parse_err perr
;
603 const bool_t classic_des
= AUTH_DES_KEY(keylen
, algtype
);
605 if (!netname
|| !skey
|| !skeylen
)
608 conf
= __nsw_getconfig("publickey", &perr
);
611 conf
= &publickey_default
;
615 for (look
= conf
->lookups
; look
; look
= look
->next
) {
616 if (strcmp(look
->service_name
, "ldap") == 0)
617 res
= getkeys_ldap_g(&err
, (char *)netname
,
618 NULL
, 0, skey
, skeylen
,
619 (char *)passwd
, keylen
, algtype
);
620 /* long DH keys will not be in nis or files */
621 else if (classic_des
&& strcmp(look
->service_name
, "nis") == 0)
622 res
= getkeys_nis(&err
, (char *)netname
,
623 NULL
, skey
, (char *)passwd
);
624 else if (classic_des
&&
625 strcmp(look
->service_name
, "files") == 0)
626 res
= getkeys_files(&err
, (char *)netname
,
627 NULL
, skey
, (char *)passwd
);
629 syslog(LOG_INFO
, "Unknown publickey nameservice '%s'",
634 switch (look
->actions
[err
]) {
635 case __NSW_CONTINUE
:
639 __nsw_freeconfig(conf
);
640 return ((res
& 2) != 0);
642 syslog(LOG_INFO
, "Unknown action for nameservice %s",
647 __nsw_freeconfig(conf
);