1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <sys/types.h> 30 #include <unistd.h> 31 #include <rpc/rpc.h> 32 #include <rpc/key_prot.h> 33 #include <rpcsvc/nis_dhext.h> 34 #include <syslog.h> 35 #include <note.h> 36 37 /* defined in usr/src/libnsl/rpc/key_call.c */ 38 extern bool_t (*__key_encryptsession_pk_LOCAL)(); 39 extern bool_t (*__key_decryptsession_pk_LOCAL)(); 40 extern bool_t (*__key_gendes_LOCAL)(); 41 42 #define CLASSIC_PK_DH(k, a) (((k) == 192) && ((a) == 0)) 43 44 /* 45 * authsys_create_uid(uid_t uid) 46 * 47 * Create SYS (UNIX) style authenticator for the given uid/gid 48 * We don't include suplementary groups, since these are of no 49 * interest for the keyserv operations that we do. 50 */ 51 AUTH * 52 authsys_create_uid(uid_t uid, gid_t gid) 53 { 54 char host[MAX_MACHINE_NAME + 1]; 55 AUTH *res; 56 57 if (gethostname(host, sizeof (host) - 1) == -1) { 58 syslog(LOG_ERR, 59 "pam_dhkeys: Can't determine hostname: %m"); 60 return (NULL); 61 } 62 host[MAX_MACHINE_NAME] = '\0'; 63 64 res = authsys_create(host, uid, gid, 0, (gid_t *)NULL); 65 66 return (res); 67 } 68 69 /* 70 * my_key_call(proc, xdr_arg, arg, xdr_rslt, rslt, uit, gid) 71 * 72 * my_key_call is a copy of key_call() from libnsl with the 73 * added AUTHSYS rpc credential to make the keyserver use our 74 * REAL UID instead of our EFFECTIVE UID when handling our keys. 75 */ 76 int 77 my_key_call(rpcproc_t proc, xdrproc_t xdr_arg, char *arg, 78 xdrproc_t xdr_rslt, char *rslt, uid_t uid, gid_t gid) 79 { 80 CLIENT *clnt; 81 struct timeval wait_time = {0, 0}; 82 enum clnt_stat status; 83 int vers; 84 85 if (proc == KEY_ENCRYPT_PK && __key_encryptsession_pk_LOCAL) { 86 cryptkeyres res; 87 bool_t r; 88 r = (*__key_encryptsession_pk_LOCAL)(uid, arg, &res); 89 if (r == TRUE) { 90 /* LINTED pointer alignment */ 91 *(cryptkeyres*)rslt = res; 92 return (1); 93 } 94 return (0); 95 } 96 if (proc == KEY_DECRYPT_PK && __key_decryptsession_pk_LOCAL) { 97 cryptkeyres res; 98 bool_t r; 99 r = (*__key_decryptsession_pk_LOCAL)(uid, arg, &res); 100 if (r == TRUE) { 101 /* LINTED pointer alignment */ 102 *(cryptkeyres*)rslt = res; 103 return (1); 104 } 105 return (0); 106 } 107 if (proc == KEY_GEN && __key_gendes_LOCAL) { 108 des_block res; 109 bool_t r; 110 r = (*__key_gendes_LOCAL)(uid, 0, &res); 111 if (r == TRUE) { 112 /* LINTED pointer alignment */ 113 *(des_block*)rslt = res; 114 return (1); 115 } 116 return (0); 117 } 118 119 if ((proc == KEY_ENCRYPT_PK) || (proc == KEY_DECRYPT_PK) || 120 (proc == KEY_NET_GET) || (proc == KEY_NET_PUT) || 121 (proc == KEY_GET_CONV)) 122 vers = 2; /* talk to version 2 */ 123 else 124 vers = 1; /* talk to version 1 */ 125 126 clnt = clnt_door_create(KEY_PROG, vers, 0); 127 128 if (clnt == NULL) 129 return (0); 130 131 clnt->cl_auth = authsys_create_uid(uid, gid); 132 133 status = CLNT_CALL(clnt, proc, xdr_arg, arg, xdr_rslt, 134 rslt, wait_time); 135 136 auth_destroy(clnt->cl_auth); 137 clnt_destroy(clnt); 138 139 return (status == RPC_SUCCESS ? 1 : 0); 140 } 141 142 int 143 key_setnet_uid(struct key_netstarg *arg, uid_t uid, gid_t gid) 144 { 145 keystatus status; 146 147 if (!my_key_call((rpcproc_t)KEY_NET_PUT, xdr_key_netstarg, 148 (char *)arg, xdr_keystatus, (char *)&status, uid, gid)) { 149 return (-1); 150 } 151 if (status != KEY_SUCCESS) { 152 return (-1); 153 } 154 155 return (1); 156 } 157 158 int 159 key_setnet_g_uid(const char *netname, const char *skey, keylen_t skeylen, 160 const char *pkey, keylen_t pkeylen, algtype_t algtype, 161 uid_t uid, gid_t gid) 162 { 163 key_netstarg3 arg; 164 keystatus status; 165 166 arg.st_netname = (char *)netname; 167 arg.algtype = algtype; 168 169 if (skeylen == 0) 170 arg.st_priv_key.keybuf3_len = 0; 171 else 172 arg.st_priv_key.keybuf3_len = skeylen/4 + 1; 173 174 arg.st_priv_key.keybuf3_val = (char *)skey; 175 176 if (pkeylen == 0) 177 arg.st_pub_key.keybuf3_len = 0; 178 else 179 arg.st_pub_key.keybuf3_len = pkeylen/4 + 1; 180 181 arg.st_pub_key.keybuf3_val = (char *)pkey; 182 183 if (skeylen == 0) { 184 if (pkeylen == 0) { 185 /* debug("keylens are both 0"); */ 186 return (-1); 187 } 188 arg.keylen = pkeylen; 189 } else { 190 if ((pkeylen != 0) && (skeylen != pkeylen)) { 191 /* debug("keylens don't match"); */ 192 return (-1); 193 } 194 arg.keylen = skeylen; 195 } 196 197 if (CLASSIC_PK_DH(arg.keylen, arg.algtype)) { 198 key_netstarg tmp; 199 200 if (skeylen != 0) { 201 (void) memcpy(&tmp.st_priv_key, skey, 202 sizeof (tmp.st_priv_key)); 203 } else { 204 (void) memset(&tmp.st_priv_key, 0, 205 sizeof (tmp.st_priv_key)); 206 } 207 if (pkeylen != 0) { 208 (void) memcpy(&tmp.st_pub_key, skey, 209 sizeof (tmp.st_pub_key)); 210 } else { 211 (void) memset(&tmp.st_pub_key, 0, 212 sizeof (tmp.st_pub_key)); 213 } 214 tmp.st_netname = (char *)netname; 215 return (key_setnet_uid(&tmp, uid, gid)); 216 } 217 218 if (!my_key_call((rpcproc_t)KEY_NET_PUT_3, xdr_key_netstarg3, 219 (char *)&arg, xdr_keystatus, (char *)&status, uid, gid)) { 220 return (-1); 221 } 222 223 if (status != KEY_SUCCESS) { 224 /* debug("key_setnet3 status is nonzero"); */ 225 return (-1); 226 } 227 return (0); 228 } 229 230 231 /* 232 * key_secretkey_is_set_uid() returns 1 if the keyserver has a secret key 233 * stored for the caller's REAL uid; it returns 0 otherwise 234 */ 235 int 236 key_secretkey_is_set_uid(uid_t uid, gid_t gid) 237 { 238 struct key_netstres kres; 239 240 (void) memset((void*)&kres, 0, sizeof (kres)); 241 242 if (my_key_call((rpcproc_t)KEY_NET_GET, xdr_void, (char *)NULL, 243 xdr_key_netstres, (char *)&kres, uid, gid) && 244 (kres.status == KEY_SUCCESS) && 245 (kres.key_netstres_u.knet.st_priv_key[0] != 0)) { 246 /* avoid leaving secret key in memory */ 247 (void) memset(kres.key_netstres_u.knet.st_priv_key, 0, 248 HEXKEYBYTES); 249 xdr_free(xdr_key_netstres, (char *)&kres); 250 return (1); 251 } 252 return (0); 253 } 254 255 int 256 key_removesecret_g_uid(uid_t uid, gid_t gid) 257 { 258 keystatus status; 259 260 if (my_key_call((rpcproc_t)KEY_CLEAR_3, xdr_void, (char *)NULL, 261 xdr_keystatus, (char *)&status, uid, gid)) 262 return (-1); 263 264 if (status != KEY_SUCCESS) 265 return (-1); 266 267 return (0); 268 } 269
Indexes created Tue Nov 24 20:39:07 UTC 2009
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.