2 * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
3 * unrestricted use provided that this legend is included on all tape
4 * media and as a part of the software program in whole or part. Users
5 * may copy or modify Sun RPC without charge, but are not authorized
6 * to license or distribute it to anyone else except as part of a product or
7 * program developed by the user.
9 * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
10 * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
11 * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
13 * Sun RPC is provided with no support and without any obligation on the
14 * part of Sun Microsystems, Inc. to assist in its use, correction,
15 * modification or enhancement.
17 * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
18 * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
19 * OR ANY PART THEREOF.
21 * In no event will Sun Microsystems, Inc. be liable for any lost revenue
22 * or profits or other special, indirect and consequential damages, even if
23 * Sun has been advised of the possibility of such damages.
25 * Sun Microsystems, Inc.
27 * Mountain View, California 94043
32 static char sccsid[] = "@(#)keyserv.c 1.15 94/04/25 SMI";
34 static const char rcsid[] =
39 * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc.
44 * Store secret keys per uid. Do public key encryption and decryption
45 * operations. Generate "random" keys.
46 * Do not talk to anything but a local root
47 * process on the local transport only
57 #include <sys/types.h>
59 #include <sys/param.h>
61 #include <rpc/des_crypt.h>
63 #include <rpc/key_prot.h>
64 #include <rpcsvc/crypt.h>
72 #define KEYSERVSOCK "/var/run/keyservsock"
75 static void randomize __P(( des_block * ));
76 static void usage __P(( void ));
77 static int getrootkey __P(( des_block *, int ));
78 static int root_auth __P(( SVCXPRT *, struct svc_req * ));
81 static int debugging = 1;
83 static int debugging = 0;
86 static void keyprogram();
87 static des_block masterkey;
89 static char ROOTKEY[] = "/etc/.rootkey";
92 * Hack to allow the keyserver to use AUTH_DES (for authenticated
93 * NIS+ calls, for example). The only functions that get called
94 * are key_encryptsession_pk, key_decryptsession_pk, and key_gendes.
96 * The approach is to have the keyserver fill in pointers to local
97 * implementations of these functions, and to call those in key_call().
100 extern cryptkeyres *(*__key_encryptsession_pk_LOCAL)();
101 extern cryptkeyres *(*__key_decryptsession_pk_LOCAL)();
102 extern des_block *(*__key_gendes_LOCAL)();
103 extern int (*__des_crypt_LOCAL)();
105 cryptkeyres *key_encrypt_pk_2_svc_prog __P(( uid_t, cryptkeyarg2 * ));
106 cryptkeyres *key_decrypt_pk_2_svc_prog __P(( uid_t, cryptkeyarg2 * ));
107 des_block *key_gen_1_svc_prog __P(( void *, struct svc_req * ));
119 register SVCXPRT *transp;
120 struct netconfig *nconf = NULL;
122 __key_encryptsession_pk_LOCAL = &key_encrypt_pk_2_svc_prog;
123 __key_decryptsession_pk_LOCAL = &key_decrypt_pk_2_svc_prog;
124 __key_gendes_LOCAL = &key_gen_1_svc_prog;
126 while ((c = getopt(argc, argv, "ndDvp:")) != -1)
147 load_des(warn, path);
148 __des_crypt_LOCAL = _my_crypt;
149 if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1)
150 errx(1, "failed to register AUTH_DES authenticator");
152 if (optind != argc) {
159 (void) umask(S_IXUSR|S_IXGRP|S_IXOTH);
161 errx(1, "keyserv must be run as root");
162 setmodulus(HEXMODULUS);
163 getrootkey(&masterkey, nflag);
165 rpcb_unset(KEY_PROG, KEY_VERS, NULL);
166 rpcb_unset(KEY_PROG, KEY_VERS2, NULL);
168 if (svc_create(keyprogram, KEY_PROG, KEY_VERS,
170 (void) fprintf(stderr,
171 "%s: unable to create service\n", argv[0]);
175 if (svc_create(keyprogram, KEY_PROG, KEY_VERS2,
177 (void) fprintf(stderr,
178 "%s: unable to create service\n", argv[0]);
182 localhandle = setnetconfig();
183 while ((nconf = getnetconfig(localhandle)) != NULL) {
184 if (nconf->nc_protofmly != NULL &&
185 strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0)
190 errx(1, "getnetconfig: %s", nc_sperror());
193 rpcb_unset(CRYPT_PROG, CRYPT_VERS, nconf);
194 transp = svcunix_create(RPC_ANYSOCK, 0, 0, KEYSERVSOCK);
196 errx(1, "cannot create AF_LOCAL service");
197 if (!svc_reg(transp, KEY_PROG, KEY_VERS, keyprogram, nconf))
198 errx(1, "unable to register (KEY_PROG, KEY_VERS, unix)");
199 if (!svc_reg(transp, KEY_PROG, KEY_VERS2, keyprogram, nconf))
200 errx(1, "unable to register (KEY_PROG, KEY_VERS2, unix)");
201 if (!svc_reg(transp, CRYPT_PROG, CRYPT_VERS, crypt_prog_1, nconf))
202 errx(1, "unable to register (CRYPT_PROG, CRYPT_VERS, unix)");
204 endnetconfig(localhandle);
206 (void) umask(066); /* paranoia */
212 signal(SIGPIPE, SIG_IGN);
220 * In the event that we don't get a root password, we try to
221 * randomize the master key the best we can
233 for (i = 0; i < 1024; i++) {
234 (void) gettimeofday(&tv, (struct timezone *) NULL);
235 shift = i % 8 * sizeof (int);
236 seed ^= (tv.tv_usec << shift) | (tv.tv_usec >> (32 - shift));
238 #ifdef KEYSERV_RANDOM
240 master->key.low = random();
241 master->key.high = random();
244 /* use stupid dangerous bad rand() */
246 master->key.low = rand();
247 master->key.high = rand();
253 * Try to get root's secret key, by prompting if terminal is a tty, else trying
254 * from standard input.
255 * Returns 1 on success.
258 getrootkey(master, prompt)
263 char name[MAXNETNAMELEN + 1];
264 char secret[HEXKEYBYTES];
265 key_netstarg netstore;
270 * Read secret key out of ROOTKEY
272 fd = open(ROOTKEY, O_RDONLY, 0);
277 if (read(fd, secret, HEXKEYBYTES) < HEXKEYBYTES) {
278 warnx("the key read from %s was too short", ROOTKEY);
283 if (!getnetname(name)) {
285 "failed to generate host's netname when establishing root's key");
288 memcpy(netstore.st_priv_key, secret, HEXKEYBYTES);
289 memset(netstore.st_pub_key, 0, HEXKEYBYTES);
290 netstore.st_netname = name;
291 if (pk_netput(0, &netstore) != KEY_SUCCESS) {
292 warnx("could not set root's key and netname");
298 * Decrypt yellow pages publickey entry to get secret key
300 passwd = getpass("root password:");
301 passwd2des(passwd, (char *)master);
303 if (!getsecretkey(name, secret, passwd)) {
304 warnx("can't find %s's secret key", name);
307 if (secret[0] == 0) {
308 warnx("password does not decrypt secret key for %s", name);
311 (void) pk_setkey(0, secret);
313 * Store it for future use in $ROOTKEY, if possible
315 fd = open(ROOTKEY, O_WRONLY|O_TRUNC|O_CREAT, 0);
319 write(fd, secret, strlen(secret));
320 write(fd, &newline, sizeof (newline));
327 * Procedures to implement RPC service
335 return ("KEY_SUCCESS");
337 return ("KEY_NOSECRET");
339 return ("KEY_UNKNOWN");
341 return ("KEY_SYSTEMERR");
343 return ("(bad result code)");
348 key_set_1_svc_prog(uid, key)
352 static keystatus status;
355 (void) fprintf(stderr, "set(%ld, %.*s) = ", uid,
356 (int) sizeof (keybuf), key);
358 status = pk_setkey(uid, key);
360 (void) fprintf(stderr, "%s\n", strstatus(status));
361 (void) fflush(stderr);
367 key_encrypt_pk_2_svc_prog(uid, arg)
371 static cryptkeyres res;
374 (void) fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid,
375 arg->remotename, arg->deskey.key.high,
376 arg->deskey.key.low);
378 res.cryptkeyres_u.deskey = arg->deskey;
379 res.status = pk_encrypt(uid, arg->remotename, &(arg->remotekey),
380 &res.cryptkeyres_u.deskey);
382 if (res.status == KEY_SUCCESS) {
383 (void) fprintf(stderr, "%08x%08x\n",
384 res.cryptkeyres_u.deskey.key.high,
385 res.cryptkeyres_u.deskey.key.low);
387 (void) fprintf(stderr, "%s\n", strstatus(res.status));
389 (void) fflush(stderr);
395 key_decrypt_pk_2_svc_prog(uid, arg)
399 static cryptkeyres res;
402 (void) fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid,
403 arg->remotename, arg->deskey.key.high,
404 arg->deskey.key.low);
406 res.cryptkeyres_u.deskey = arg->deskey;
407 res.status = pk_decrypt(uid, arg->remotename, &(arg->remotekey),
408 &res.cryptkeyres_u.deskey);
410 if (res.status == KEY_SUCCESS) {
411 (void) fprintf(stderr, "%08x%08x\n",
412 res.cryptkeyres_u.deskey.key.high,
413 res.cryptkeyres_u.deskey.key.low);
415 (void) fprintf(stderr, "%s\n", strstatus(res.status));
417 (void) fflush(stderr);
423 key_net_put_2_svc_prog(uid, arg)
427 static keystatus status;
430 (void) fprintf(stderr, "net_put(%s, %.*s, %.*s) = ",
431 arg->st_netname, (int)sizeof (arg->st_pub_key),
432 arg->st_pub_key, (int)sizeof (arg->st_priv_key),
436 status = pk_netput(uid, arg);
439 (void) fprintf(stderr, "%s\n", strstatus(status));
440 (void) fflush(stderr);
447 key_net_get_2_svc_prog(uid, arg)
451 static key_netstres keynetname;
454 (void) fprintf(stderr, "net_get(%ld) = ", uid);
456 keynetname.status = pk_netget(uid, &keynetname.key_netstres_u.knet);
458 if (keynetname.status == KEY_SUCCESS) {
459 fprintf(stderr, "<%s, %.*s, %.*s>\n",
460 keynetname.key_netstres_u.knet.st_netname,
461 (int)sizeof (keynetname.key_netstres_u.knet.st_pub_key),
462 keynetname.key_netstres_u.knet.st_pub_key,
463 (int)sizeof (keynetname.key_netstres_u.knet.st_priv_key),
464 keynetname.key_netstres_u.knet.st_priv_key);
466 (void) fprintf(stderr, "NOT FOUND\n");
468 (void) fflush(stderr);
471 return (&keynetname);
476 key_get_conv_2_svc_prog(uid, arg)
480 static cryptkeyres res;
483 (void) fprintf(stderr, "get_conv(%ld, %.*s) = ", uid,
484 (int)sizeof (arg), arg);
487 res.status = pk_get_conv_key(uid, arg, &res);
490 if (res.status == KEY_SUCCESS) {
491 (void) fprintf(stderr, "%08x%08x\n",
492 res.cryptkeyres_u.deskey.key.high,
493 res.cryptkeyres_u.deskey.key.low);
495 (void) fprintf(stderr, "%s\n", strstatus(res.status));
497 (void) fflush(stderr);
504 key_encrypt_1_svc_prog(uid, arg)
508 static cryptkeyres res;
511 (void) fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid,
512 arg->remotename, arg->deskey.key.high,
513 arg->deskey.key.low);
515 res.cryptkeyres_u.deskey = arg->deskey;
516 res.status = pk_encrypt(uid, arg->remotename, NULL,
517 &res.cryptkeyres_u.deskey);
519 if (res.status == KEY_SUCCESS) {
520 (void) fprintf(stderr, "%08x%08x\n",
521 res.cryptkeyres_u.deskey.key.high,
522 res.cryptkeyres_u.deskey.key.low);
524 (void) fprintf(stderr, "%s\n", strstatus(res.status));
526 (void) fflush(stderr);
532 key_decrypt_1_svc_prog(uid, arg)
536 static cryptkeyres res;
539 (void) fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid,
540 arg->remotename, arg->deskey.key.high,
541 arg->deskey.key.low);
543 res.cryptkeyres_u.deskey = arg->deskey;
544 res.status = pk_decrypt(uid, arg->remotename, NULL,
545 &res.cryptkeyres_u.deskey);
547 if (res.status == KEY_SUCCESS) {
548 (void) fprintf(stderr, "%08x%08x\n",
549 res.cryptkeyres_u.deskey.key.high,
550 res.cryptkeyres_u.deskey.key.low);
552 (void) fprintf(stderr, "%s\n", strstatus(res.status));
554 (void) fflush(stderr);
561 key_gen_1_svc_prog(v, s)
566 static des_block keygen;
567 static des_block key;
569 (void) gettimeofday(&time, (struct timezone *) NULL);
570 keygen.key.high += (time.tv_sec ^ time.tv_usec);
571 keygen.key.low += (time.tv_sec ^ time.tv_usec);
572 ecb_crypt((char *)&masterkey, (char *)&keygen, sizeof (keygen),
573 DES_ENCRYPT | DES_HW);
575 des_setparity((char *)&key);
577 (void) fprintf(stderr, "gen() = %08x%08x\n", key.key.high,
579 (void) fflush(stderr);
585 key_getcred_1_svc_prog(uid, name)
589 static getcredres res;
590 static u_int gids[NGROUPS];
591 struct unixcred *cred;
593 cred = &res.getcredres_u.cred;
594 cred->gids.gids_val = gids;
595 if (!netname2user(*name, (uid_t *) &cred->uid, (gid_t *) &cred->gid,
596 (int *)&cred->gids.gids_len, (gid_t *)gids)) {
597 res.status = KEY_UNKNOWN;
599 res.status = KEY_SUCCESS;
602 (void) fprintf(stderr, "getcred(%s) = ", *name);
603 if (res.status == KEY_SUCCESS) {
604 (void) fprintf(stderr, "uid=%d, gid=%d, grouplen=%d\n",
605 cred->uid, cred->gid, cred->gids.gids_len);
607 (void) fprintf(stderr, "%s\n", strstatus(res.status));
609 (void) fflush(stderr);
618 keyprogram(rqstp, transp)
619 struct svc_req *rqstp;
623 keybuf key_set_1_arg;
624 cryptkeyarg key_encrypt_1_arg;
625 cryptkeyarg key_decrypt_1_arg;
626 netnamestr key_getcred_1_arg;
627 cryptkeyarg key_encrypt_2_arg;
628 cryptkeyarg key_decrypt_2_arg;
629 netnamestr key_getcred_2_arg;
630 cryptkeyarg2 key_encrypt_pk_2_arg;
631 cryptkeyarg2 key_decrypt_pk_2_arg;
632 key_netstarg key_net_put_2_arg;
633 netobj key_get_conv_2_arg;
636 xdrproc_t xdr_argument, xdr_result;
641 switch (rqstp->rq_proc) {
643 svc_sendreply(transp, (xdrproc_t)xdr_void, NULL);
647 xdr_argument = (xdrproc_t)xdr_keybuf;
648 xdr_result = (xdrproc_t)xdr_int;
649 local = (char *(*)()) key_set_1_svc_prog;
654 xdr_argument = (xdrproc_t)xdr_cryptkeyarg;
655 xdr_result = (xdrproc_t)xdr_cryptkeyres;
656 local = (char *(*)()) key_encrypt_1_svc_prog;
661 xdr_argument = (xdrproc_t)xdr_cryptkeyarg;
662 xdr_result = (xdrproc_t)xdr_cryptkeyres;
663 local = (char *(*)()) key_decrypt_1_svc_prog;
668 xdr_argument = (xdrproc_t)xdr_void;
669 xdr_result = (xdrproc_t)xdr_des_block;
670 local = (char *(*)()) key_gen_1_svc_prog;
675 xdr_argument = (xdrproc_t)xdr_netnamestr;
676 xdr_result = (xdrproc_t)xdr_getcredres;
677 local = (char *(*)()) key_getcred_1_svc_prog;
682 xdr_argument = (xdrproc_t)xdr_cryptkeyarg2;
683 xdr_result = (xdrproc_t)xdr_cryptkeyres;
684 local = (char *(*)()) key_encrypt_pk_2_svc_prog;
689 xdr_argument = (xdrproc_t)xdr_cryptkeyarg2;
690 xdr_result = (xdrproc_t)xdr_cryptkeyres;
691 local = (char *(*)()) key_decrypt_pk_2_svc_prog;
697 xdr_argument = (xdrproc_t)xdr_key_netstarg;
698 xdr_result = (xdrproc_t)xdr_keystatus;
699 local = (char *(*)()) key_net_put_2_svc_prog;
704 xdr_argument = (xdrproc_t) xdr_void;
705 xdr_result = (xdrproc_t)xdr_key_netstres;
706 local = (char *(*)()) key_net_get_2_svc_prog;
711 xdr_argument = (xdrproc_t) xdr_keybuf;
712 xdr_result = (xdrproc_t)xdr_cryptkeyres;
713 local = (char *(*)()) key_get_conv_2_svc_prog;
718 svcerr_noproc(transp);
722 if (root_auth(transp, rqstp) == 0) {
724 (void) fprintf(stderr,
725 "not local privileged process\n");
727 svcerr_weakauth(transp);
730 if (rqstp->rq_cred.oa_flavor != AUTH_SYS) {
732 (void) fprintf(stderr,
733 "not unix authentication\n");
735 svcerr_weakauth(transp);
738 uid = ((struct authsys_parms *)rqstp->rq_clntcred)->aup_uid;
741 memset(&argument, 0, sizeof (argument));
742 if (!svc_getargs(transp, xdr_argument, &argument)) {
743 svcerr_decode(transp);
746 result = (*local) (uid, &argument);
747 if (!svc_sendreply(transp, xdr_result, result)) {
749 (void) fprintf(stderr, "unable to reply\n");
750 svcerr_systemerr(transp);
752 if (!svc_freeargs(transp, xdr_argument, &argument)) {
754 (void) fprintf(stderr,
755 "unable to free arguments\n");
762 root_auth(trans, rqstp)
764 struct svc_req *rqstp;
767 struct sockaddr *remote;
769 remote = svc_getrpccaller(trans)->buf;
770 if (remote->sa_family != AF_UNIX) {
772 fprintf(stderr, "client didn't use AF_UNIX\n");
776 if (__rpc_get_local_uid(trans, &uid) < 0) {
778 fprintf(stderr, "__rpc_get_local_uid failed\n");
783 fprintf(stderr, "local_uid %ld\n", uid);
786 if (rqstp->rq_cred.oa_flavor == AUTH_SYS) {
787 if (((uid_t) ((struct authunix_parms *)
788 rqstp->rq_clntcred)->aup_uid)
794 "local_uid %ld mismatches auth %ld\n", uid,
795 ((uid_t) ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid));
800 fprintf(stderr, "Not auth sys\n");
808 (void) fprintf(stderr,
809 "usage: keyserv [-n] [-D] [-d] [-v] [-p path]\n");
810 (void) fprintf(stderr, "-d disables the use of default keys\n");