int
main(int argc, char *argv[])
{
int sflag = 0, s1flag = 0, s2flag = 0, nflag = 0, dflag = 0, eflag = 0;
char *options, *value;
extern char *optarg;
extern int optind;
int c, d;
struct rlimit rl;
int mode = RPC_SVC_MT_AUTO;
int maxrecsz = RPC_MAXDATASIZE;
void detachfromtty(void);
int setmodulus();
int pk_nodefaultkeys();
int svc_create_local_service();
char domainname[MAXNETNAMELEN + 1];
/*
* Set our allowed number of file descriptors to the max
* of what the system will allow, limited by FD_SETSIZE.
*/
if (getrlimit(RLIMIT_NOFILE, &rl) == 0) {
rlim_t limit;
if ((limit = rl.rlim_max) > FD_SETSIZE)
limit = FD_SETSIZE;
rl.rlim_cur = limit;
(void) setrlimit(RLIMIT_NOFILE, &rl);
(void) enable_extended_FILE_stdio(-1, -1);
}
__key_encryptsession_pk_LOCAL = &__key_encrypt_pk_2_svc;
__key_decryptsession_pk_LOCAL = &__key_decrypt_pk_2_svc;
__key_gendes_LOCAL = &__key_gen_1_svc;
/*
* Pre-option initialisation
*/
(void) umask(066); /* paranoia */
if (geteuid() != 0) {
(void) fprintf(stderr, "%s must be run as root\n", argv[0]);
exit(1);
}
setmodulus(HEXMODULUS);
openlog("keyserv", LOG_PID, LOG_DAEMON);
/*
* keyserv will not work with a null domainname.
*/
if (getdomainname(domainname, MAXNETNAMELEN+1) ||
(domainname[0] == '\0')) {
syslog(LOG_ERR, "could not get a valid domainname.\n");
exit(SMF_EXIT_ERR_CONFIG);
}
/*
* Initialise security mechanisms
*/
cache_size = NULL;
cache_options = NULL;
if (init_mechs() == -1) {
disk_caching = 0;
}
defaults();
while ((c = getopt(argc, argv, "ndDet:cs:")) != -1)
switch (c) {
case 'n':
nflag++;
break;
case 'd':
dflag++;
use_nobody_keys = FALSE;
break;
case 'e':
eflag++;
use_nobody_keys = TRUE;
break;
case 'D':
debugging = 1;
break;
case 't':
nthreads = atoi(optarg);
break;
case 'c':
disk_caching = 0;
break;
case 's':
if (!disk_caching) {
fprintf(stderr, "missing configuration file");
fprintf(stderr, " or -c option specified\n");
usage();
}
sflag++;
/*
* Which version of [-s] do we have...?
*/
if (strchr((const char *) optarg, '=') == NULL) {
/*
* -s <size>
*/
if (s1flag) {
fprintf(stderr, "duplicate"
" [-s <size>]\n");
usage();
}
s1flag++;
default_cache = get_cache_size(optarg);
break;
}
/*
* -s <mechtype>=<size>[,...]
*/
s2flag++;
options = optarg;
while (*options != '\0') {
d = getsubopt(&options, cache_options, &value);
if (d == -1) {
/* Ignore unknown mechtype */
continue;
}
if (value == NULL) {
fprintf(stderr,
"missing cache size for "
"mechtype %s\n", cache_options[d]);
usage();
}
cache_size[d] = get_cache_size(value);
}
break;
default:
usage();
break;
}
if (dflag && eflag) {
(void) fprintf(stderr, "specify only one of -d and -e\n");
usage();
}
if (use_nobody_keys == FALSE) {
pk_nodefaultkeys();
}
if (optind != argc) {
usage();
}
if (!disk_caching && sflag) {
fprintf(stderr, "missing configuration file");
fprintf(stderr, " or -c option specified\n");
usage();
}
if (debugging) {
if (disk_caching) {
char **cpp = cache_options;
int *ip = cache_size;
(void) fprintf(stderr, "default disk cache size: ");
if (default_cache < 0) {
(void) fprintf(stderr, "%d entries\n",
abs(default_cache));
} else {
(void) fprintf(stderr, "%dMB\n", default_cache);
}
(void) fprintf(stderr, "supported mechanisms:\n");
(void) fprintf(stderr, "\talias\t\tdisk cache size\n");
(void) fprintf(stderr, "\t=====\t\t===============\n");
while (*cpp != NULL) {
(void) fprintf(stderr, "\t%s\t\t", *cpp++);
if (*ip < 0) {
(void) fprintf(stderr, "%d entries\n",
abs(*ip));
} else {
(void) fprintf(stderr, "%dMB\n", *ip);
}
ip++;
}
} else {
(void) fprintf(stderr,
"common key disk caching disabled\n");
}
}
/*
* Post-option initialisation
*/
if (disk_caching) {
int i;
for (i = 0; mechs[i]; i++) {
if ((AUTH_DES_COMPAT_CHK(mechs[i])) ||
(mechs[i]->keylen < 0) || (mechs[i]->algtype < 0))
continue;
create_cache_file(mechs[i]->keylen, mechs[i]->algtype,
cache_size[i] ? cache_size[i] : default_cache);
}
}
getrootkey(&masterkey, nflag);
/*
* Set MT mode
*/
if (nthreads > 0) {
(void) rpc_control(RPC_SVC_MTMODE_SET, &mode);
(void) rpc_control(RPC_SVC_THRMAX_SET, &nthreads);
}
/*
* Enable non-blocking mode and maximum record size checks for
* connection oriented transports.
*/
if (!rpc_control(RPC_SVC_CONNMAXREC_SET, &maxrecsz)) {
syslog(LOG_INFO, "unable to set max RPC record size");
}
if (svc_create_local_service(keyprogram, KEY_PROG, KEY_VERS,
"netpath", "keyserv") == 0) {
syslog(LOG_ERR,
"%s: unable to create service for version %d\n",
argv[0], KEY_VERS);
exit(1);
}
if (svc_create_local_service(keyprogram, KEY_PROG, KEY_VERS2,
"netpath", "keyserv") == 0) {
syslog(LOG_ERR,
"%s: unable to create service for version %d\n",
argv[0], KEY_VERS2);
exit(1);
}
if (svc_create_local_service(keyprogram, KEY_PROG, KEY_VERS3,
"netpath", "keyserv") == 0) {
syslog(LOG_ERR,
"%s: unable to create service for version %d\n",
argv[0], KEY_VERS3);
exit(1);
}
if (!debugging) {
detachfromtty();
}
if (svc_create(keyprogram, KEY_PROG, KEY_VERS, "door") == 0) {
syslog(LOG_ERR,
"%s: unable to create service over doors for version %d\n",
argv[0], KEY_VERS);
exit(1);
}
if (svc_create(keyprogram, KEY_PROG, KEY_VERS2, "door") == 0) {
syslog(LOG_ERR,
"%s: unable to create service over doors for version %d\n",
argv[0], KEY_VERS2);
exit(1);
}
if (svc_create(keyprogram, KEY_PROG, KEY_VERS3, "door") == 0) {
syslog(LOG_ERR,
"%s: unable to create service over doors for version %d\n",
argv[0], KEY_VERS3);
exit(1);
}
svc_run();
abort();
/* NOTREACHED */
return (0);
}
/*
* Loop thru the NIS+ security cf entries until one DH(EXT) mech key is
* successfully extracted from the server DHEXT netobj. Copy the hex key
* string to newly allocated memory and return it's address in 'keybuf'.
* The caller must free this memory. Also, dup the key length and algtype
* "alias" string and return it's address in keystr (which the caller
* must also free on successful return).
*
* Policy: If no valid cf entries exist or if the entry is the "des" compat
* one, then try it and then end search.
*
* Returns TRUE on success and FALSE on failure.
*/
static bool_t
get_dhext_key(
netobj *pkey, /* in */
char **keybuf, /* out */
keylen_t *keylen, /* (bits) out */
algtype_t *keyalgtype, /* out */
char **keystr) /* out */
{
mechanism_t **mechs; /* list of mechanisms */
char *hexkey; /* hex public key */
if (mechs = __nis_get_mechanisms(FALSE)) {
mechanism_t **mpp;
for (mpp = mechs; *mpp; mpp++) {
mechanism_t *mp = *mpp;
if (AUTH_DES_COMPAT_CHK(mp)) {
__nis_release_mechanisms(mechs);
goto try_auth_des;
}
if (! VALID_MECH_ENTRY(mp))
continue;
if (hexkey = __nis_dhext_extract_pkey(pkey,
mp->keylen, mp->algtype)) {
if ((*keybuf = malloc(strlen(hexkey) + 1))
== 0) {
syslog(LOG_ERR, "malloc failed");
continue; /* try next mech */
}
(void) strcpy(*keybuf, hexkey);
*keylen = mp->keylen;
*keyalgtype = mp->algtype;
*keystr = strdup(mp->alias);
__nis_release_mechanisms(mechs);
return (TRUE);
} else
continue;
}
__nis_release_mechanisms(mechs);
return (FALSE);
} else {
/* no valid cf mech entries or AUTH_DES compat entry found */
try_auth_des:
if (hexkey = __nis_dhext_extract_pkey(pkey,
AUTH_DES_KEYLEN, AUTH_DES_ALGTYPE)) {
if ((*keybuf = malloc(strlen(hexkey) + 1)) == NULL) {
syslog(LOG_ERR, "malloc failed");
return (FALSE);
}
(void) strcpy(*keybuf, hexkey);
*keylen = AUTH_DES_KEYLEN;
*keyalgtype = AUTH_DES_ALGTYPE;
*keystr = strdup(NIS_SEC_CF_DES_ALIAS);
return (TRUE);
}
}
return (FALSE);
}
