4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright 2017 Joyent Inc
24 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
25 * Use is subject to license terms.
28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
29 /* All Rights Reserved */
32 * University Copyright- Copyright (c) 1982, 1986, 1988
33 * The Regents of the University of California
36 * University Acknowledgment- Portions of this document are derived from
37 * software developed by the University of California, Berkeley, and its
42 * keyserv - server for storing private encryption keys
43 * keyserv(1M) performs multiple functions: it stores secret keys per uid; it
44 * performs public key encryption and decryption operations; and it generates
45 * "random" keys. keyserv(1M) will talk to no one but a local root process on
46 * the local transport only.
50 #include <stdio_ext.h>
52 #include <sys/types.h>
59 #include <sys/param.h>
61 #include <sys/resource.h>
63 #include <rpc/des_crypt.h>
64 #include <rpc/key_prot.h>
66 #include "rpc/svc_mt.h"
67 #include <rpcsvc/nis_dhext.h>
70 #include <sys/debug.h>
73 #include "keyserv_cache.h"
79 extern keystatus
pk_setkey();
80 extern keystatus
pk_encrypt();
81 extern keystatus
pk_decrypt();
82 extern keystatus
pk_netput();
83 extern keystatus
pk_netget();
84 extern keystatus
pk_get_conv_key();
85 extern bool_t
svc_get_local_cred();
87 extern keystatus
pk_setkey3();
88 extern keystatus
pk_encrypt3();
89 extern keystatus
pk_decrypt3();
90 extern keystatus
pk_netput3();
91 extern keystatus
pk_netget3();
92 extern keystatus
pk_get_conv_key3();
93 extern keystatus
pk_clear3();
95 extern int init_mechs();
96 extern int addmasterkey();
97 extern int storeotherrootkeys();
98 extern int setdeskeyarray();
100 extern int getdomainname();
102 static void randomize();
104 static void defaults();
105 static int getrootkey();
106 static int get_cache_size(char *);
107 static bool_t
get_auth();
110 extern int test_debug();
111 extern int real_debug();
117 static void keyprogram();
118 static des_block masterkey
;
120 static char ROOTKEY
[] = "/etc/.rootkey";
122 static char *defaults_file
= "/etc/default/keyserv";
123 static int use_nobody_keys
= TRUE
;
126 * Hack to allow the keyserver to use AUTH_DES. The only functions
127 * that get called are key_encryptsession_pk, key_decryptsession_pk,
130 * The approach is to have the keyserver fill in pointers to local
131 * implementations of these functions, and to call those in key_call().
134 bool_t
__key_encrypt_pk_2_svc();
135 bool_t
__key_decrypt_pk_2_svc();
136 bool_t
__key_gen_1_svc();
138 extern bool_t (*__key_encryptsession_pk_LOCAL
)();
139 extern bool_t (*__key_decryptsession_pk_LOCAL
)();
140 extern bool_t (*__key_gendes_LOCAL
)();
142 static int nthreads
= 32;
144 /* Disk caching of common keys on by default */
145 int disk_caching
= 1;
150 * The default size for all types of mech.
151 * positive integers denote multiples of 1MB
152 * negative integers denote number of entries
153 * same goes for non-null entries in cache_size
155 static int default_cache
= 1;
158 char **cache_options
;
161 main(int argc
, char *argv
[])
163 int sflag
= 0, s1flag
= 0, s2flag
= 0, nflag
= 0, dflag
= 0, eflag
= 0;
164 char *options
, *value
;
169 int mode
= RPC_SVC_MT_AUTO
;
170 int maxrecsz
= RPC_MAXDATASIZE
;
172 void detachfromtty(void);
174 int pk_nodefaultkeys();
175 int svc_create_local_service();
177 char domainname
[MAXNETNAMELEN
+ 1];
180 * Set our allowed number of file descriptors to the max
181 * of what the system will allow, limited by FD_SETSIZE.
183 if (getrlimit(RLIMIT_NOFILE
, &rl
) == 0) {
186 if ((limit
= rl
.rlim_max
) > FD_SETSIZE
)
189 (void) setrlimit(RLIMIT_NOFILE
, &rl
);
190 (void) enable_extended_FILE_stdio(-1, -1);
193 __key_encryptsession_pk_LOCAL
= &__key_encrypt_pk_2_svc
;
194 __key_decryptsession_pk_LOCAL
= &__key_decrypt_pk_2_svc
;
195 __key_gendes_LOCAL
= &__key_gen_1_svc
;
198 * Pre-option initialisation
200 (void) umask(066); /* paranoia */
201 if (geteuid() != 0) {
202 (void) fprintf(stderr
, "%s must be run as root\n", argv
[0]);
205 setmodulus(HEXMODULUS
);
206 openlog("keyserv", LOG_PID
, LOG_DAEMON
);
209 * keyserv will not work with a null domainname.
211 if (getdomainname(domainname
, MAXNETNAMELEN
+1) ||
212 (domainname
[0] == '\0')) {
213 syslog(LOG_ERR
, "could not get a valid domainname.\n");
214 exit(SMF_EXIT_ERR_CONFIG
);
218 * Initialise security mechanisms
221 cache_options
= NULL
;
222 if (init_mechs() == -1) {
228 while ((c
= getopt(argc
, argv
, "ndDet:cs:")) != -1)
235 use_nobody_keys
= FALSE
;
239 use_nobody_keys
= TRUE
;
245 nthreads
= atoi(optarg
);
252 fprintf(stderr
, "missing configuration file");
253 fprintf(stderr
, " or -c option specified\n");
258 * Which version of [-s] do we have...?
260 if (strchr((const char *) optarg
, '=') == NULL
) {
265 fprintf(stderr
, "duplicate"
270 default_cache
= get_cache_size(optarg
);
274 * -s <mechtype>=<size>[,...]
278 while (*options
!= '\0') {
279 d
= getsubopt(&options
, cache_options
, &value
);
281 /* Ignore unknown mechtype */
286 "missing cache size for "
287 "mechtype %s\n", cache_options
[d
]);
290 cache_size
[d
] = get_cache_size(value
);
299 if (dflag
&& eflag
) {
300 (void) fprintf(stderr
, "specify only one of -d and -e\n");
304 if (use_nobody_keys
== FALSE
) {
308 if (optind
!= argc
) {
312 if (!disk_caching
&& sflag
) {
313 fprintf(stderr
, "missing configuration file");
314 fprintf(stderr
, " or -c option specified\n");
320 char **cpp
= cache_options
;
321 int *ip
= cache_size
;
322 (void) fprintf(stderr
, "default disk cache size: ");
323 if (default_cache
< 0) {
324 (void) fprintf(stderr
, "%d entries\n",
327 (void) fprintf(stderr
, "%dMB\n", default_cache
);
330 (void) fprintf(stderr
, "supported mechanisms:\n");
331 (void) fprintf(stderr
, "\talias\t\tdisk cache size\n");
332 (void) fprintf(stderr
, "\t=====\t\t===============\n");
333 while (*cpp
!= NULL
) {
334 (void) fprintf(stderr
, "\t%s\t\t", *cpp
++);
336 (void) fprintf(stderr
, "%d entries\n",
339 (void) fprintf(stderr
, "%dMB\n", *ip
);
344 (void) fprintf(stderr
,
345 "common key disk caching disabled\n");
349 * Post-option initialisation
353 for (i
= 0; mechs
[i
]; i
++) {
354 if ((AUTH_DES_COMPAT_CHK(mechs
[i
])) ||
355 (mechs
[i
]->keylen
< 0) || (mechs
[i
]->algtype
< 0))
357 create_cache_file(mechs
[i
]->keylen
, mechs
[i
]->algtype
,
358 cache_size
[i
] ? cache_size
[i
] : default_cache
);
361 getrootkey(&masterkey
, nflag
);
367 (void) rpc_control(RPC_SVC_MTMODE_SET
, &mode
);
368 (void) rpc_control(RPC_SVC_THRMAX_SET
, &nthreads
);
372 * Enable non-blocking mode and maximum record size checks for
373 * connection oriented transports.
375 if (!rpc_control(RPC_SVC_CONNMAXREC_SET
, &maxrecsz
)) {
376 syslog(LOG_INFO
, "unable to set max RPC record size");
379 if (svc_create_local_service(keyprogram
, KEY_PROG
, KEY_VERS
,
380 "netpath", "keyserv") == 0) {
382 "%s: unable to create service for version %d\n",
387 if (svc_create_local_service(keyprogram
, KEY_PROG
, KEY_VERS2
,
388 "netpath", "keyserv") == 0) {
390 "%s: unable to create service for version %d\n",
395 if (svc_create_local_service(keyprogram
, KEY_PROG
, KEY_VERS3
,
396 "netpath", "keyserv") == 0) {
398 "%s: unable to create service for version %d\n",
407 if (svc_create(keyprogram
, KEY_PROG
, KEY_VERS
, "door") == 0) {
409 "%s: unable to create service over doors for version %d\n",
414 if (svc_create(keyprogram
, KEY_PROG
, KEY_VERS2
, "door") == 0) {
416 "%s: unable to create service over doors for version %d\n",
421 if (svc_create(keyprogram
, KEY_PROG
, KEY_VERS3
, "door") == 0) {
423 "%s: unable to create service over doors for version %d\n",
436 * In the event that we don't get a root password, we try to
437 * randomize the master key the best we can
449 for (i
= 0; i
< 1024; i
++) {
450 (void) gettimeofday(&tv
, NULL
);
451 shift
= i
% 8 * sizeof (int);
452 seed
^= (tv
.tv_usec
<< shift
) | (tv
.tv_usec
>> (32 - shift
));
454 #ifdef KEYSERV_RANDOM
456 master
->key
.low
= random();
457 master
->key
.high
= random();
460 /* use stupid dangerous bad rand() */
462 master
->key
.low
= rand();
463 master
->key
.high
= rand();
469 fgets_ignorenul(char *s
, int n
, FILE *stream
)
471 int fildes
= fileno(stream
);
480 rs
= read(fildes
, &c
, 1);
509 /* Should last until 16384-bit DH keys */
510 #define MAXROOTKEY_LINE_LEN 4224
511 #define MAXROOTKEY_LEN 4096
512 #define ROOTKEY_FILE "/etc/.rootkey"
515 getotherrootkeys(char *name
)
518 char line
[MAXROOTKEY_LINE_LEN
];
519 char key
[MAXROOTKEY_LEN
];
523 if (!(rootkey
= fopen(ROOTKEY
, "r")))
526 while (fgets_ignorenul(line
, MAXROOTKEY_LINE_LEN
, rootkey
)) {
527 debug(KEYSERV_DEBUG0
, ("ROOTKEY %d: %s\n", count
, line
));
529 if (sscanf(line
, "%s %d", key
, &algtype
) < 2) {
531 * No encryption algorithm found in the file
532 * (algtype) so default to DES.
534 algtype
= AUTH_DES_ALGTYPE
;
538 addmasterkey(key
, name
, algtype
);
545 * Try to get root's secret key, by prompting if terminal is a tty, else trying
546 * from standard input.
547 * Returns 1 on success.
550 getrootkey(master
, prompt
)
555 char name
[MAXNETNAMELEN
+ 1];
556 char secret
[HEXKEYBYTES
+ 1];
562 if (!getnetname(name
)) {
563 (void) fprintf(stderr
, "keyserv: \
564 failed to generate host's netname when establishing root's key.\n");
568 return (getotherrootkeys(name
));
571 * Decrypt yellow pages publickey entry to get secret key
573 passwd
= getpass("root password:");
574 passwd2des(passwd
, master
);
575 if (!getsecretkey(name
, secret
, passwd
)) {
576 (void) fprintf(stderr
,
577 "Can't find %s's secret key\n", name
);
580 if (secret
[0] == 0) {
581 (void) fprintf(stderr
,
582 "Password does not decrypt secret key for %s\n", name
);
585 if ((fp
= fopen(ROOTKEY
, "w")) == NULL
) {
586 (void) fprintf(stderr
,
587 "Cannot open %s for write\n", ROOTKEY
);
590 retval
= storeotherrootkeys(fp
, name
, passwd
, secret
);
596 * Procedures to implement RPC service. These procedures are named
597 * differently from the definitions in key_prot.h (generated by rpcgen)
598 * because they take different arguments.
606 return ("KEY_SUCCESS");
608 return ("KEY_NOSECRET");
610 return ("KEY_UNKNOWN");
612 return ("KEY_SYSTEMERR");
614 return ("KEY_BADALG");
616 return ("KEY_BADLEN");
618 return ("(bad result code)");
623 __key_set_1_svc(uid
, key
, status
)
629 (void) fprintf(stderr
, "set(%d, %.*s) = ", uid
,
630 sizeof (keybuf
), key
);
632 *status
= pk_setkey(uid
, key
);
634 (void) fprintf(stderr
, "%s\n", strstatus(*status
));
635 (void) fflush(stderr
);
641 __key_encrypt_pk_2_svc(uid
, arg
, res
)
648 (void) fprintf(stderr
, "encrypt(%d, %s, %08x%08x) = ", uid
,
649 arg
->remotename
, arg
->deskey
.key
.high
,
650 arg
->deskey
.key
.low
);
652 res
->cryptkeyres_u
.deskey
= arg
->deskey
;
653 res
->status
= pk_encrypt(uid
, arg
->remotename
, &(arg
->remotekey
),
654 &res
->cryptkeyres_u
.deskey
);
656 if (res
->status
== KEY_SUCCESS
) {
657 (void) fprintf(stderr
, "%08x%08x\n",
658 res
->cryptkeyres_u
.deskey
.key
.high
,
659 res
->cryptkeyres_u
.deskey
.key
.low
);
661 (void) fprintf(stderr
, "%s\n", strstatus(res
->status
));
663 (void) fflush(stderr
);
669 __key_decrypt_pk_2_svc(uid
, arg
, res
)
676 (void) fprintf(stderr
, "decrypt(%d, %s, %08x%08x) = ", uid
,
677 arg
->remotename
, arg
->deskey
.key
.high
,
678 arg
->deskey
.key
.low
);
680 res
->cryptkeyres_u
.deskey
= arg
->deskey
;
681 res
->status
= pk_decrypt(uid
, arg
->remotename
, &(arg
->remotekey
),
682 &res
->cryptkeyres_u
.deskey
);
684 if (res
->status
== KEY_SUCCESS
) {
685 (void) fprintf(stderr
, "%08x%08x\n",
686 res
->cryptkeyres_u
.deskey
.key
.high
,
687 res
->cryptkeyres_u
.deskey
.key
.low
);
689 (void) fprintf(stderr
, "%s\n", strstatus(res
->status
));
691 (void) fflush(stderr
);
697 __key_net_put_2_svc(uid
, arg
, status
)
704 (void) fprintf(stderr
, "net_put(%s, %.*s, %.*s) = ",
705 arg
->st_netname
, sizeof (arg
->st_pub_key
),
706 arg
->st_pub_key
, sizeof (arg
->st_priv_key
),
710 *status
= pk_netput(uid
, arg
);
713 (void) fprintf(stderr
, "%s\n", strstatus(*status
));
714 (void) fflush(stderr
);
722 __key_net_get_2_svc(uid
, arg
, keynetname
)
725 key_netstres
*keynetname
;
729 (void) fprintf(stderr
, "net_get(%d) = ", uid
);
731 keynetname
->status
= pk_netget(uid
, &keynetname
->key_netstres_u
.knet
);
733 if (keynetname
->status
== KEY_SUCCESS
) {
734 fprintf(stderr
, "<%s, %.*s, %.*s>\n",
735 keynetname
->key_netstres_u
.knet
.st_netname
,
736 sizeof (keynetname
->key_netstres_u
.knet
.st_pub_key
),
737 keynetname
->key_netstres_u
.knet
.st_pub_key
,
738 sizeof (keynetname
->key_netstres_u
.knet
.st_priv_key
),
739 keynetname
->key_netstres_u
.knet
.st_priv_key
);
741 (void) fprintf(stderr
, "NOT FOUND\n");
743 (void) fflush(stderr
);
751 __key_get_conv_2_svc(uid_t uid
, keybuf arg
, cryptkeyres
*res
)
755 (void) fprintf(stderr
, "get_conv(%d, %.*s) = ", uid
,
756 sizeof (keybuf
), arg
);
759 res
->status
= pk_get_conv_key(uid
, arg
, res
);
762 if (res
->status
== KEY_SUCCESS
) {
763 (void) fprintf(stderr
, "%08x%08x\n",
764 res
->cryptkeyres_u
.deskey
.key
.high
,
765 res
->cryptkeyres_u
.deskey
.key
.low
);
767 (void) fprintf(stderr
, "%s\n", strstatus(res
->status
));
769 (void) fflush(stderr
);
776 __key_encrypt_1_svc(uid
, arg
, res
)
783 (void) fprintf(stderr
, "encrypt(%d, %s, %08x%08x) = ", uid
,
784 arg
->remotename
, arg
->deskey
.key
.high
,
785 arg
->deskey
.key
.low
);
787 res
->cryptkeyres_u
.deskey
= arg
->deskey
;
788 res
->status
= pk_encrypt(uid
, arg
->remotename
, NULL
,
789 &res
->cryptkeyres_u
.deskey
);
791 if (res
->status
== KEY_SUCCESS
) {
792 (void) fprintf(stderr
, "%08x%08x\n",
793 res
->cryptkeyres_u
.deskey
.key
.high
,
794 res
->cryptkeyres_u
.deskey
.key
.low
);
796 (void) fprintf(stderr
, "%s\n", strstatus(res
->status
));
798 (void) fflush(stderr
);
804 __key_decrypt_1_svc(uid
, arg
, res
)
810 (void) fprintf(stderr
, "decrypt(%d, %s, %08x%08x) = ", uid
,
811 arg
->remotename
, arg
->deskey
.key
.high
,
812 arg
->deskey
.key
.low
);
814 res
->cryptkeyres_u
.deskey
= arg
->deskey
;
815 res
->status
= pk_decrypt(uid
, arg
->remotename
, NULL
,
816 &res
->cryptkeyres_u
.deskey
);
818 if (res
->status
== KEY_SUCCESS
) {
819 (void) fprintf(stderr
, "%08x%08x\n",
820 res
->cryptkeyres_u
.deskey
.key
.high
,
821 res
->cryptkeyres_u
.deskey
.key
.low
);
823 (void) fprintf(stderr
, "%s\n", strstatus(res
->status
));
825 (void) fflush(stderr
);
832 __key_gen_1_svc(v
, s
, key
)
838 static des_block keygen
;
839 static mutex_t keygen_mutex
= DEFAULTMUTEX
;
842 (void) gettimeofday(&time
, NULL
);
843 (void) mutex_lock(&keygen_mutex
);
844 keygen
.key
.high
+= (time
.tv_sec
^ time
.tv_usec
);
845 keygen
.key
.low
+= (time
.tv_sec
^ time
.tv_usec
);
846 r
= ecb_crypt((char *)&masterkey
, (char *)&keygen
, sizeof (keygen
),
847 DES_ENCRYPT
| DES_HW
);
848 if (r
!= DESERR_NONE
&& r
!= DESERR_NOHWDEVICE
) {
849 mutex_unlock(&keygen_mutex
);
853 mutex_unlock(&keygen_mutex
);
855 des_setparity_g(key
);
857 (void) fprintf(stderr
, "gen() = %08x%08x\n", key
->key
.high
,
859 (void) fflush(stderr
);
866 __key_getcred_1_svc(uid
, name
, res
)
871 struct unixcred
*cred
;
873 cred
= &res
->getcredres_u
.cred
;
874 if (!netname2user(*name
, (uid_t
*)&cred
->uid
, (gid_t
*)&cred
->gid
,
875 (int *)&cred
->gids
.gids_len
,
876 (gid_t
*)cred
->gids
.gids_val
)) {
877 res
->status
= KEY_UNKNOWN
;
879 res
->status
= KEY_SUCCESS
;
882 (void) fprintf(stderr
, "getcred(%s) = ", *name
);
883 if (res
->status
== KEY_SUCCESS
) {
884 (void) fprintf(stderr
, "uid=%d, gid=%d, grouplen=%d\n",
885 cred
->uid
, cred
->gid
, cred
->gids
.gids_len
);
887 (void) fprintf(stderr
, "%s\n", strstatus(res
->status
));
889 (void) fflush(stderr
);
895 * Version 3 procedures follow...
899 __key_set_3_svc(uid_t uid
, setkeyarg3
*arg
, keystatus
*status
)
901 debug(KEYSERV_DEBUG
, ("__key_set_3_svc(%d, %d, %d)",
902 uid
, arg
->algtype
, arg
->keylen
));
903 *status
= pk_setkey3(uid
, arg
);
904 debug(KEYSERV_DEBUG
, ("__key_set_3_svc %s", strstatus(*status
)));
909 __key_encrypt_3_svc(uid_t uid
, cryptkeyarg3
*arg
, cryptkeyres3
*res
)
914 debug(KEYSERV_DEBUG
, ("encrypt_3(%d %d %s)", uid
,
915 arg
->deskey
.deskeyarray_len
, arg
->remotename
));
916 res
->status
= pk_encrypt3(uid
, arg
, &res
->cryptkeyres3_u
.deskey
);
917 len
= res
->cryptkeyres3_u
.deskey
.deskeyarray_len
;
918 dp
= res
->cryptkeyres3_u
.deskey
.deskeyarray_val
;
919 for (i
= 0; i
< len
; i
++) {
920 debug(KEYSERV_DEBUG0
, ("encrypt_3 retval[%d] == (%x,%x)",
921 i
, dp
->key
.high
, dp
->key
.low
));
924 debug(KEYSERV_DEBUG
, ("encrypt_3 returned %s", strstatus(res
->status
)));
929 __key_decrypt_3_svc(uid_t uid
, cryptkeyarg3
*arg
, cryptkeyres3
*res
)
934 debug(KEYSERV_DEBUG
, ("decrypt_3(%d, %d, %s)", uid
,
935 arg
->deskey
.deskeyarray_len
, arg
->remotename
));
936 res
->status
= pk_decrypt3(uid
, arg
, &res
->cryptkeyres3_u
.deskey
);
937 len
= res
->cryptkeyres3_u
.deskey
.deskeyarray_len
;
938 dp
= res
->cryptkeyres3_u
.deskey
.deskeyarray_val
;
939 for (i
= 0; i
< len
; i
++) {
940 debug(KEYSERV_DEBUG0
, ("decrypt_3 retval[%d] == (%x,%x)",
941 i
, dp
->key
.high
, dp
->key
.low
));
944 debug(KEYSERV_DEBUG
, ("decrypt_3 returned %s", strstatus(res
->status
)));
950 __key_gen_3_svc(void *v
, keynum_t
*kp
, deskeyarray
*res
)
953 keynum_t keynum
= *kp
;
955 debug(KEYSERV_DEBUG
, ("gen_3(%d %x)", keynum
, res
));
956 res
->deskeyarray_val
= 0;
957 if (!setdeskeyarray(res
, keynum
)) {
960 for (i
= 0; i
< keynum
; i
++) {
961 debug(KEYSERV_DEBUG
, ("gen_3 calling gen_1 %x",
962 res
->deskeyarray_val
+i
));
963 __key_gen_1_svc(NULL
, NULL
,
964 res
->deskeyarray_val
+i
);
965 debug(KEYSERV_DEBUG
, ("gen_3 val %d %x",
966 i
, *(int *)(res
->deskeyarray_val
+i
)));
972 __key_gen_3_svc_free(deskeyarray
*dp
)
974 free(dp
->deskeyarray_val
);
978 __key_getcred_3_svc(uid_t uid
, netnamestr
*name
, getcredres3
*res
)
980 return (__key_getcred_1_svc(uid
, name
, (getcredres
*)res
));
984 __key_encrypt_pk_3_svc(uid_t uid
, cryptkeyarg3
*arg
, cryptkeyres3
*res
)
986 debug(KEYSERV_DEBUG
, ("encrypt_pk_3(%d, %s)", uid
, arg
->remotename
));
987 res
->status
= pk_encrypt3(uid
, arg
, &res
->cryptkeyres3_u
.deskey
);
988 debug(KEYSERV_DEBUG
, ("encrypt returned %s", strstatus(res
->status
)));
993 __key_encrypt_pk_3_svc_free(cryptkeyres3
*res
)
995 if (res
->status
== KEY_SUCCESS
) {
996 free(res
->cryptkeyres3_u
.deskey
.deskeyarray_val
);
1001 __key_decrypt_pk_3(uid_t uid
, cryptkeyarg3
*arg
, cryptkeyres3
*res
)
1003 debug(KEYSERV_DEBUG
, ("decrypt_pk_3(%d, %s)", uid
, arg
->remotename
));
1004 res
->status
= pk_decrypt3(uid
, arg
, &res
->cryptkeyres3_u
.deskey
);
1005 debug(KEYSERV_DEBUG
, ("encrypt returned %s", strstatus(res
->status
)));
1010 __key_decrypt_pk_3_free(cryptkeyres3
*res
)
1012 if (res
->status
== KEY_SUCCESS
) {
1013 free(res
->cryptkeyres3_u
.deskey
.deskeyarray_val
);
1018 __key_net_put_3_svc(uid_t uid
, key_netstarg3
*arg
, keystatus
*status
)
1020 debug(KEYSERV_DEBUG
, ("net_put_3 (%d, %x)", uid
, arg
));
1021 *status
= pk_netput3(uid
, arg
);
1022 debug(KEYSERV_DEBUG
, ("net_put_3 ret %s", strstatus(*status
)));
1027 __key_net_get_3_svc(uid_t uid
, mechtype
*arg
, key_netstres3
*keynetname
)
1029 debug(KEYSERV_DEBUG
, ("net_get_3 (%d, %x)", uid
, arg
));
1030 keynetname
->status
= pk_netget3(uid
,
1031 arg
, &keynetname
->key_netstres3_u
.knet
);
1032 debug(KEYSERV_DEBUG
,
1033 ("net_get_3 ret %s", strstatus(keynetname
->status
)));
1038 __key_net_get_3_svc_free(key_netstres3
*keynetname
)
1040 if (keynetname
->status
== KEY_SUCCESS
) {
1041 free(keynetname
->key_netstres3_u
.knet
.st_priv_key
.keybuf3_val
);
1042 free(keynetname
->key_netstres3_u
.knet
.st_pub_key
.keybuf3_val
);
1043 free(keynetname
->key_netstres3_u
.knet
.st_netname
);
1048 __key_get_conv_3_svc(uid_t uid
, deskeyarg3
*arg
, cryptkeyres3
*res
)
1050 debug(KEYSERV_DEBUG
, ("get_conv_3(%d %x %x)", uid
, arg
, res
));
1051 res
->status
= pk_get_conv_key3(uid
, arg
, res
);
1052 debug(KEYSERV_DEBUG
,
1053 ("get_conv_3 ret %s", strstatus(res
->status
)));
1059 __key_clear_3_svc(uid_t uid
, void *arg
, keystatus
*status
)
1061 debug(KEYSERV_DEBUG
, ("clear_3(%d)", uid
));
1062 *status
= pk_clear3(uid
);
1063 debug(KEYSERV_DEBUG
, ("clear_3 ret %s", strstatus(*status
)));
1071 keyprogram(rqstp
, transp
)
1072 struct svc_req
*rqstp
;
1076 keybuf key_set_1_arg
;
1077 cryptkeyarg key_encrypt_1_arg
;
1078 cryptkeyarg key_decrypt_1_arg
;
1079 netnamestr key_getcred_1_arg
;
1080 cryptkeyarg key_encrypt_2_arg
;
1081 cryptkeyarg key_decrypt_2_arg
;
1082 netnamestr key_getcred_2_arg
;
1083 cryptkeyarg2 key_encrypt_pk_2_arg
;
1084 cryptkeyarg2 key_decrypt_pk_2_arg
;
1085 key_netstarg key_net_put_2_arg
;
1086 netobj key_get_conv_2_arg
;
1087 keybuf3 key_set_3_arg
;
1088 cryptkeyarg3 key_encrypt_3_arg
;
1089 cryptkeyarg3 key_decrypt_3_arg
;
1090 cryptkeyarg3 key_encrypt_pk_3_arg
;
1091 cryptkeyarg3 key_decrypt_pk_3_arg
;
1092 keynum_t key_gen_3_arg
;
1093 netnamestr key_getcred_3_arg
;
1094 key_netstarg3 key_net_put_3_arg
;
1095 key_netstarg3 key_net_get_3_arg
;
1096 deskeyarg3 key_get_conv_3_arg
;
1103 key_netstres keynetname
;
1105 deskeyarray keyarray
;
1107 key_netstres3 keynetname3
;
1109 uint_t gids
[MAXGIDS
];
1110 char netname_str
[MAXNETNAMELEN
+ 1];
1111 bool_t (*xdr_argument
)(), (*xdr_result
)();
1113 void (*local_free
)() = NULL
;
1118 switch (rqstp
->rq_proc
) {
1120 svc_sendreply(transp
, xdr_void
, NULL
);
1124 xdr_argument
= xdr_keybuf
;
1125 xdr_result
= xdr_int
;
1126 local
= __key_set_1_svc
;
1131 xdr_argument
= xdr_cryptkeyarg
;
1132 xdr_result
= xdr_cryptkeyres
;
1133 local
= __key_encrypt_1_svc
;
1138 xdr_argument
= xdr_cryptkeyarg
;
1139 xdr_result
= xdr_cryptkeyres
;
1140 local
= __key_decrypt_1_svc
;
1145 xdr_argument
= xdr_void
;
1146 xdr_result
= xdr_des_block
;
1147 local
= __key_gen_1_svc
;
1152 xdr_argument
= xdr_netnamestr
;
1153 xdr_result
= xdr_getcredres
;
1154 local
= __key_getcred_1_svc
;
1155 result
.gres
.getcredres_u
.cred
.gids
.gids_val
= gids
;
1159 case KEY_ENCRYPT_PK
:
1160 xdr_argument
= xdr_cryptkeyarg2
;
1161 xdr_result
= xdr_cryptkeyres
;
1162 local
= __key_encrypt_pk_2_svc
;
1166 case KEY_DECRYPT_PK
:
1167 xdr_argument
= xdr_cryptkeyarg2
;
1168 xdr_result
= xdr_cryptkeyres
;
1169 local
= __key_decrypt_pk_2_svc
;
1175 xdr_argument
= xdr_key_netstarg
;
1176 xdr_result
= xdr_keystatus
;
1177 local
= __key_net_put_2_svc
;
1182 xdr_argument
= (xdrproc_t
)xdr_void
;
1183 xdr_result
= xdr_key_netstres
;
1184 local
= __key_net_get_2_svc
;
1185 result
.keynetname
.key_netstres_u
.knet
.st_netname
= netname_str
;
1190 xdr_argument
= (xdrproc_t
)xdr_keybuf
;
1191 xdr_result
= xdr_cryptkeyres
;
1192 local
= __key_get_conv_2_svc
;
1197 * Version 3 procedures follow...
1201 xdr_argument
= (xdrproc_t
)xdr_setkeyarg3
;
1202 xdr_result
= xdr_keystatus
;
1203 local
= __key_set_3_svc
;
1208 xdr_argument
= (xdrproc_t
)xdr_cryptkeyarg3
;
1209 xdr_result
= xdr_cryptkeyres3
;
1210 local
= __key_encrypt_3_svc
;
1215 xdr_argument
= (xdrproc_t
)xdr_cryptkeyarg3
;
1216 xdr_result
= xdr_cryptkeyres3
;
1217 local
= __key_decrypt_3_svc
;
1222 xdr_argument
= (xdrproc_t
)xdr_keynum_t
;
1223 xdr_result
= xdr_deskeyarray
;
1224 local
= __key_gen_3_svc
;
1225 local_free
= __key_gen_3_svc_free
;
1230 xdr_argument
= (xdrproc_t
)xdr_netnamestr
;
1231 xdr_result
= xdr_getcredres3
;
1232 local
= __key_getcred_3_svc
;
1236 case KEY_ENCRYPT_PK_3
:
1237 xdr_argument
= (xdrproc_t
)xdr_cryptkeyarg3
;
1238 xdr_result
= xdr_cryptkeyres3
;
1239 local
= __key_encrypt_pk_3_svc
;
1240 local_free
= __key_encrypt_pk_3_svc_free
;
1244 case KEY_DECRYPT_PK_3
:
1245 xdr_argument
= (xdrproc_t
)xdr_cryptkeyarg3
;
1246 xdr_result
= xdr_cryptkeyres3
;
1247 local
= __key_decrypt_pk_3
;
1248 local_free
= __key_decrypt_pk_3_free
;
1253 xdr_argument
= (xdrproc_t
)xdr_key_netstarg3
;
1254 xdr_result
= xdr_keystatus
;
1255 local
= __key_net_put_3_svc
;
1260 xdr_argument
= (xdrproc_t
)xdr_mechtype
;
1261 xdr_result
= xdr_key_netstres3
;
1262 local
= __key_net_get_3_svc
;
1263 local_free
= __key_net_get_3_svc_free
;
1267 case KEY_GET_CONV_3
:
1268 xdr_argument
= (xdrproc_t
)xdr_deskeyarg3
;
1269 xdr_result
= xdr_cryptkeyres3
;
1270 local
= __key_get_conv_3_svc
;
1275 xdr_argument
= (xdrproc_t
)xdr_void
;
1276 xdr_result
= xdr_keystatus
;
1277 local
= __key_clear_3_svc
;
1282 svcerr_noproc(transp
);
1286 if (!get_auth(transp
, rqstp
, &uid
)) {
1288 (void) fprintf(stderr
,
1289 "not local privileged process\n");
1291 svcerr_weakauth(transp
);
1296 memset((char *)&argument
, 0, sizeof (argument
));
1297 if (!svc_getargs(transp
, xdr_argument
, (caddr_t
)&argument
)) {
1298 svcerr_decode(transp
);
1301 retval
= (*local
)(uid
, &argument
, &result
);
1302 if (retval
&& !svc_sendreply(transp
, xdr_result
, (char *)&result
)) {
1304 (void) fprintf(stderr
, "unable to reply\n");
1305 svcerr_systemerr(transp
);
1307 if (!svc_freeargs(transp
, xdr_argument
, (caddr_t
)&argument
)) {
1309 (void) fprintf(stderr
,
1310 "unable to free arguments\n");
1314 (*local_free
)(&result
);
1319 get_auth(trans
, rqstp
, uid
)
1321 struct svc_req
*rqstp
;
1324 svc_local_cred_t cred
;
1326 if (!svc_get_local_cred(trans
, &cred
)) {
1328 fprintf(stderr
, "svc_get_local_cred failed %s %s\n",
1329 trans
->xp_netid
, trans
->xp_tp
);
1333 fprintf(stderr
, "local_uid %d\n", cred
.euid
);
1334 if (rqstp
->rq_cred
.oa_flavor
== AUTH_SYS
||
1335 rqstp
->rq_cred
.oa_flavor
== AUTH_LOOPBACK
) {
1336 CTASSERT(sizeof (struct authunix_parms
) <= RQCRED_SIZE
);
1337 /* LINTED pointer alignment */
1338 *uid
= ((struct authunix_parms
*)rqstp
->rq_clntcred
)->aup_uid
;
1339 return (*uid
== cred
.euid
|| cred
.euid
== 0);
1347 get_cache_size(size
)
1352 len
= (int)strlen(size
);
1357 if (size
[len
-1] == 'M' || size
[len
-1] == 'm') {
1366 * negative size indicates number of entries in cache
1372 (void) fprintf(stderr
, "invalid cache size: %s\n", size
);
1382 (void) fprintf(stderr
, "usage: \n");
1383 (void) fprintf(stderr
, "keyserv [-c]|[-s ");
1384 (void) fprintf(stderr
, "<size>|<mechtype>=<size>[,...]] [-n] [-D] ");
1385 (void) fprintf(stderr
, "[-d | -e] ");
1386 (void) fprintf(stderr
, "[-t threads]\n");
1387 (void) fprintf(stderr
, "-d disables the use of default keys\n");
1388 (void) fprintf(stderr
, "-e enables the use of default keys\n");
1398 if (defopen(defaults_file
) == 0) {
1402 flags
= defcntl(DC_GETFLAGS
, 0);
1403 TURNOFF(flags
, DC_CASE
);
1404 (void) defcntl(DC_SETFLAGS
, flags
);
1406 if ((ptr
= defread("ENABLE_NOBODY_KEYS=")) != NULL
) {
1407 if (strcasecmp(ptr
, "NO") == 0) {
1408 use_nobody_keys
= FALSE
;
1412 (void) defopen(NULL
);