publickey.c revision 36e852a172cba914383d7341c988128b2c667fbd
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
/* All Rights Reserved */
/*
* Portions of this source code were derived from Berkeley 4.3 BSD
* under license from the Regents of the University of California.
*/
/*
*
*
* Public and Private (secret) key lookup routines. These functions
* are used by the secure RPC auth_des flavor to get the public and
* private keys for secure RPC principals. Originally designed to
* talk only to YP, AT&T modified them to talk to files, and now
* they can also talk to NIS+. The policy for these lookups is now
* defined in terms of the nameservice switch as follows :
* publickey: nis files
*
*/
#include "mt.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <assert.h>
#include <pwd.h>
#include "nsswitch.h"
#include <rpc/key_prot.h>
#include <rpcsvc/nis_dhext.h>
#include <thread.h>
#include "../nis/gen/nis_clnt.h"
#include <nss_dbdefs.h>
static const char *PKMAP = "publickey.byname";
static const char dh_caps_str[] = "DH";
static const char des_caps_str[] = AUTH_DES_AUTH_TYPE;
static char *netname2hashname(const char *, char *, int, keylen_t,
#define WORKBUFSIZE 1024
extern int xdecrypt();
extern int __yp_match_cflookup(char *, char *, char *, int, char **,
int *, int *);
/*
* default publickey policy:
* publickey: nis [NOTFOUND = return] files
*/
/* NSW_NOTSUCCESS NSW_NOTFOUND NSW_UNAVAIL NSW_TRYAGAIN */
static struct __nsw_switchconfig publickey_default =
#ifndef NUL
#define NUL '\0'
#endif
extern mutex_t serialize_pkey;
static int extract_secret();
/*
* db_root is used for switch backends.
*/
static DEFINE_NSS_DB_ROOT(db_root);
/*
* str2key
*/
/* ARGSUSED */
static int
return (NSS_STR_PARSE_ERANGE);
/*
* We copy the input string into the output buffer
*/
return (NSS_STR_PARSE_SUCCESS);
}
/*
* These functions are the "backends" for the switch for public keys. They
* get both the public and private keys from each of the supported name
* services (nis, files). They are passed the appropriate parameters
* and return 0 if unsuccessful with *errp set, or 1 when they got just the
* public key and 3 when they got both the public and private keys.
*
*
* getkey_nis()
*
* Internal implementation of getpublickey() using NIS (aka Yellow Pages,
* aka YP).
*
* NOTE : *** this function returns nsswitch codes and _not_ the
* value returned by getpublickey.
*/
static int
{
char *domain;
char *p;
int len;
if (!p) {
*errp = __NSW_UNAVAIL;
return (0);
}
domain = ++p;
/*
* Instead of calling yp_match(), we use __yp_match_cflookup() here
* which has time-out control for the binding operation to nis
* servers.
*/
switch (err) {
case YPERR_KEY :
if (keyval)
*errp = __NSW_NOTFOUND;
return (0);
default :
if (keyval)
*errp = __NSW_UNAVAIL;
return (0);
case 0:
break;
}
if (p == NULL) {
*errp = __NSW_NOTFOUND;
return (0);
}
*p = 0;
if (pkey) {
if (len > HEXKEYBYTES) {
*errp = __NSW_NOTFOUND;
return (0);
}
}
r = 1;
p++;
r |= 2;
*errp = __NSW_SUCCESS;
return (r);
}
/*
* getkey_files()
*
* The files version of getpublickey. This function attempts to
* get the publickey from the file PKFILE .
*
* be :
* netname <whitespace> publickey:privatekey
*
* NOTE : *** this function returns nsswitch codes and _not_ the
* value returned by getpublickey.
*/
static int
{
char *mkey;
char *mval;
char buf[WORKBUFSIZE];
int r = 0;
char *res;
char *p;
char *lasts;
*errp = __NSW_UNAVAIL;
return (0);
}
/* Search through the file linearly :-( */
continue;
else {
"getpublickey: Bad record in %s for %s",
continue;
}
"getpublickey: Bad record in %s for %s",
continue;
}
/* NOTE : Case insensitive compare. */
if (p == NULL) {
"getpublickey: Bad record in %s for %s",
continue;
}
*p = 0;
if (pkey) {
if (len > HEXKEYBYTES) {
"getpublickey: Bad record in %s for %s",
continue;
}
}
r = 1;
p++;
r |= 2;
*errp = __NSW_SUCCESS;
return (r);
}
}
}
*errp = __NSW_NOTFOUND;
return (0);
}
/*
* getpublickey(netname, key)
*
* This is the actual exported interface for this function.
*/
int
{
}
int
{
}
void
__getpublickey_flush(const char *netname)
{
}
int
{
passwd));
}
/*
* Routines to cache publickeys.
*/
/*
* Generic DH (any size keys) version of extract_secret.
*/
static int
char *raw, /* in */
char *private, /* out */
int prilen, /* in */
char *passwd, /* in */
char *netname, /* in */
{
char *p;
if (private)
if (buf)
return (0);
}
/* strip off pesky colon if it exists */
if (p) {
*p = 0;
}
/* raw buf has chksum appended, so let's verify it too */
private[0] = 0;
return (1); /* yes, return 1 even if xdecrypt fails */
}
private[0] = 0;
return (0);
}
return (1);
}
/*
* extract_secret()
*
* This generic function will extract the private key
* from a string using the given password. Note that
* it uses the DES based function xdecrypt()
*/
static int
{
}
/*
* getkeys_ldap_g()
*
* Fetches the key pair from LDAP. This version handles any size
* DH keys.
*/
void
{
p->name = NSS_DBNAM_PUBLICKEY;
}
static int
int *err, /* in */
char *netname, /* in */
char *pkey, /* out */
int pkeylen, /* in */
char *skey, /* out */
int skeylen, /* in */
char *passwd, /* in */
{
int r = 0;
char *p;
int len;
int rc = 0;
char *keyval;
/*
* LDAP stores the public and secret key info in entries using
* nisKeyObject objectclass. Each key is tagged with the
* keytype, keylength, and algorithm. The tag has the following
* format: {<keytype><keylength>-<algorithm>}. For example,
* {DH192-0}.
*/
if (classic_des)
else
&arg) != NSS_SUCCESS) {
NSS_XbyY_FREE(&buf);
*err = __NSW_NOTFOUND;
return (0);
}
if (p == NULL) {
NSS_XbyY_FREE(&buf);
*err = __NSW_NOTFOUND;
return (0);
}
*p = 0;
if (pkey) {
if (len > HEXKEYBYTES) {
NSS_XbyY_FREE(&buf);
*err = __NSW_NOTFOUND;
return (0);
}
}
r = 1;
p++;
r |= 2;
NSS_XbyY_FREE(&buf);
*err = __NSW_SUCCESS;
return (r);
}
/*
* Convert a netname to a name we will hash on. For classic_des,
* just copy netname as is. But for new and improved ("now in
* new longer sizes!") DHEXT, add a ":keylen-algtype" suffix to hash on.
*
* Returns the hashname string on success or NULL on failure.
*/
static char *
const char *netname,
char *hashname,
int bufsiz,
{
return (NULL);
if (classic_des) {
else
return (NULL);
} else {
char tmp[128];
else
return (NULL);
}
return (hashname);
}
/*
* Flush netname's publickey of the given key length and algorithm type.
*/
void
{
}
/*
* Generic DH (any size keys) version of __getpublickey_cached.
*/
int
char *pkey, /* out */
int *from_cache) /* in/out */
{
struct __nsw_switchconfig *conf;
struct __nsw_lookup *look;
enum __nsw_parse_err perr;
int retry_cache = 0;
return (0);
if (!conf) {
needfree = 0;
}
/* long DH keys will not be in nis or files */
} else if (classic_des &&
else if (classic_des &&
else {
look->service_name);
err = __NSW_UNAVAIL;
}
case __NSW_CONTINUE :
continue;
case __NSW_RETURN :
if (needfree)
return ((res & 1) != 0);
default :
look->service_name);
}
}
if (needfree)
return (0);
}
/*
* Generic (all sizes) DH version of getpublickey.
*/
int
const char *netname, /* in */
int keylen, /* in */
int algtype, /* in */
char *pkey, /* out */
{
pkeylen, (int *)0));
}
/*
* Generic (all sizes) DH version of getsecretkey_g.
*/
int
const char *netname, /* in */
char *skey, /* out */
const char *passwd) /* in */
{
struct __nsw_switchconfig *conf;
struct __nsw_lookup *look;
enum __nsw_parse_err perr;
return (0);
if (!conf) {
needfree = 0;
}
/* long DH keys will not be in nis or files */
else if (classic_des &&
else {
look->service_name);
err = __NSW_UNAVAIL;
}
case __NSW_CONTINUE :
continue;
case __NSW_RETURN :
if (needfree)
return ((res & 2) != 0);
default :
look->service_name);
}
}
if (needfree)
return (0);
}