diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -51,6 +51,10 @@ # xargs -n1 | sort | uniq -d; # done +# 20250727: Remove of remaining Secure RPC (DES) bits +OLD_FILES+=usr/sbin/rpc.ypupdated +OLD_FILES+=etc/rc.d/ypupdated + # 20250726: MIT KRB5 DSO bump OLD_LIBS+=usr/lib/libcom_err.so.121 OLD_LIBS+=usr/lib/libgssapi_krb5.so.121 diff --git a/include/rpc/auth_des.h b/include/rpc/auth_des.h --- a/include/rpc/auth_des.h +++ b/include/rpc/auth_des.h @@ -33,91 +33,14 @@ * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc. */ -/* - * auth_des.h, Protocol for DES style authentication for RPC - */ +/* Note, RPC DES authentication was removed in FreeBSD 15.0. */ #ifndef _AUTH_DES_ #define _AUTH_DES_ -/* - * There are two kinds of "names": fullnames and nicknames - */ -enum authdes_namekind { - ADN_FULLNAME, - ADN_NICKNAME -}; - -/* - * A fullname contains the network name of the client, - * a conversation key and the window - */ -struct authdes_fullname { - char *name; /* network name of client, up to MAXNETNAMELEN */ - des_block key; /* conversation key */ - u_long window; /* associated window */ -}; - - -/* - * A credential - */ -struct authdes_cred { - enum authdes_namekind adc_namekind; - struct authdes_fullname adc_fullname; - u_long adc_nickname; -}; - - - -/* - * A des authentication verifier - */ -struct authdes_verf { - union { - struct timeval adv_ctime; /* clear time */ - des_block adv_xtime; /* crypt time */ - } adv_time_u; - u_long adv_int_u; -}; - -/* - * des authentication verifier: client variety - * - * adv_timestamp is the current time. - * adv_winverf is the credential window + 1. - * Both are encrypted using the conversation key. - */ -#define adv_timestamp adv_time_u.adv_ctime -#define adv_xtimestamp adv_time_u.adv_xtime -#define adv_winverf adv_int_u - -/* - * des authentication verifier: server variety - * - * adv_timeverf is the client's timestamp + client's window - * adv_nickname is the server's nickname for the client. - * adv_timeverf is encrypted using the conversation key. - */ -#define adv_timeverf adv_time_u.adv_ctime -#define adv_xtimeverf adv_time_u.adv_xtime -#define adv_nickname adv_int_u - -/* - * Map a des credential into a unix cred. - * - */ -__BEGIN_DECLS -extern int authdes_getucred( struct authdes_cred *, uid_t *, gid_t *, int *, gid_t * ); -__END_DECLS - __BEGIN_DECLS -extern bool_t xdr_authdes_cred(XDR *, struct authdes_cred *); -extern bool_t xdr_authdes_verf(XDR *, struct authdes_verf *); extern int rtime(dev_t, struct netbuf *, int, struct timeval *, struct timeval *); -extern void kgetnetname(char *); -extern enum auth_stat _svcauth_des(struct svc_req *, struct rpc_msg *); __END_DECLS #endif /* ndef _AUTH_DES_ */ diff --git a/lib/libc/rpc/Symbol.map b/lib/libc/rpc/Symbol.map --- a/lib/libc/rpc/Symbol.map +++ b/lib/libc/rpc/Symbol.map @@ -8,13 +8,29 @@ xdr_desargs; xdr_desresp; + /* DES functionality removed in 15.0 */ + authdes_create; + authdes_getucred; authdes_seccreate; authdes_pk_seccreate; + xdr_authdes_cred; + xdr_authdes_verf; + _svcauth_des; + + /* keyserv(8) interface removed in 15.0 */ + key_setsecret; + key_secretkey_is_set; + key_encryptsession_pk; + key_decryptsession_pk; + key_encryptsession; + key_decryptsession; + key_gendes; + key_get_conv; + key_setnet; + authnone_create; authunix_create; authunix_create_default; - xdr_authdes_cred; - xdr_authdes_verf; xdr_authunix_parms; bindresvport; bindresvport_sa; @@ -58,15 +74,6 @@ endrpcent; getrpcent; getrpcport; - key_setsecret; - key_secretkey_is_set; - key_encryptsession_pk; - key_decryptsession_pk; - key_encryptsession; - key_decryptsession; - key_gendes; - key_setnet; - key_get_conv; xdr_keystatus; xdr_keybuf; xdr_netnamestr; @@ -130,7 +137,6 @@ callrpc; registerrpc; clnt_broadcast; - authdes_create; clntunix_create; svcunix_create; svcunixfd_create; @@ -180,8 +186,6 @@ _authenticate; _svcauth_null; svc_auth_reg; - _svcauth_des; - authdes_getucred; _svcauth_unix; _svcauth_short; svc_dg_create; @@ -205,9 +209,6 @@ FBSDprivate_1.0 { __des_crypt_LOCAL; - __key_encryptsession_pk_LOCAL; - __key_decryptsession_pk_LOCAL; - __key_gendes_LOCAL; __svc_clean_idle; __rpc_gss_unwrap; __rpc_gss_unwrap_stub; diff --git a/lib/libc/rpc/auth_des.c b/lib/libc/rpc/auth_des.c --- a/lib/libc/rpc/auth_des.c +++ b/lib/libc/rpc/auth_des.c @@ -30,463 +30,34 @@ /* * Copyright (c) 1988 by Sun Microsystems, Inc. */ + /* - * auth_des.c, client-side implementation of DES authentication + * Secure RPC DES authentication was removed in FreeBSD 15.0. + * These symbols are provided for backward compatibility, but provide no + * functionality and will always return an error. */ #include "namespace.h" #include "reentrant.h" -#include -#include -#include -#include -#include -#include -#include #include #include #include -#include -#include -#include -#undef NIS #include #include "un-namespace.h" -#include "mt_misc.h" - -#define USEC_PER_SEC 1000000 -#define RTIME_TIMEOUT 5 /* seconds to wait for sync */ - -#define AUTH_PRIVATE(auth) (struct ad_private *) auth->ah_private -#define ALLOC(object_type) (object_type *) mem_alloc(sizeof(object_type)) -#define FREE(ptr, size) mem_free((char *)(ptr), (int) size) -#define ATTEMPT(xdr_op) if (!(xdr_op)) return (FALSE) - -extern bool_t xdr_authdes_cred( XDR *, struct authdes_cred *); -extern bool_t xdr_authdes_verf( XDR *, struct authdes_verf *); -extern int key_encryptsession_pk(char *, netobj *, des_block *); - -extern bool_t __rpc_get_time_offset(struct timeval *, nis_server *, char *, - char **, char **); - -/* - * DES authenticator operations vector - */ -static void authdes_nextverf(AUTH *); -static bool_t authdes_marshal(AUTH *, XDR *); -static bool_t authdes_validate(AUTH *, struct opaque_auth *); -static bool_t authdes_refresh(AUTH *, void *); -static void authdes_destroy(AUTH *); - -static struct auth_ops *authdes_ops(void); - -/* - * This struct is pointed to by the ah_private field of an "AUTH *" - */ -struct ad_private { - char *ad_fullname; /* client's full name */ - u_int ad_fullnamelen; /* length of name, rounded up */ - char *ad_servername; /* server's full name */ - u_int ad_servernamelen; /* length of name, rounded up */ - u_int ad_window; /* client specified window */ - bool_t ad_dosync; /* synchronize? */ - struct netbuf ad_syncaddr; /* remote host to synch with */ - char *ad_timehost; /* remote host to synch with */ - struct timeval ad_timediff; /* server's time - client's time */ - u_int ad_nickname; /* server's nickname for client */ - struct authdes_cred ad_cred; /* storage for credential */ - struct authdes_verf ad_verf; /* storage for verifier */ - struct timeval ad_timestamp; /* timestamp sent */ - des_block ad_xkey; /* encrypted conversation key */ - u_char ad_pkey[1024]; /* Server's actual public key */ - char *ad_netid; /* Timehost netid */ - char *ad_uaddr; /* Timehost uaddr */ - nis_server *ad_nis_srvr; /* NIS+ server struct */ -}; - -AUTH *authdes_pk_seccreate(const char *, netobj *, u_int, const char *, - const des_block *, nis_server *); - -/* - * documented version of authdes_seccreate - */ -/* - servername: network name of server - win: time to live - timehost: optional hostname to sync with - ckey: optional conversation key to use -*/ AUTH * -authdes_seccreate(const char *servername, const u_int win, +__authdes_seccreate(const char *servername, const u_int win, const char *timehost, const des_block *ckey) { - u_char pkey_data[1024]; - netobj pkey; - AUTH *dummy; - - if (! getpublickey(servername, (char *) pkey_data)) { - syslog(LOG_ERR, - "authdes_seccreate: no public key found for %s", - servername); - return (NULL); - } - - pkey.n_bytes = (char *) pkey_data; - pkey.n_len = (u_int)strlen((char *)pkey_data) + 1; - dummy = authdes_pk_seccreate(servername, &pkey, win, timehost, - ckey, NULL); - return (dummy); + return (NULL); } +__sym_compat(authdes_seccreate, __authdes_seccreate, FBSD_1.0); -/* - * Slightly modified version of authdessec_create which takes the public key - * of the server principal as an argument. This spares us a call to - * getpublickey() which in the nameserver context can cause a deadlock. - */ AUTH * -authdes_pk_seccreate(const char *servername, netobj *pkey, u_int window, - const char *timehost, const des_block *ckey, nis_server *srvr) +__authdes_pk_seccreate(const char *servername __unused, netobj *pkey __unused, + u_int window __unused, const char *timehost __unused, + const des_block *ckey __unused, nis_server *srvr __unused) { - AUTH *auth; - struct ad_private *ad; - char namebuf[MAXNETNAMELEN+1]; - - /* - * Allocate everything now - */ - auth = ALLOC(AUTH); - if (auth == NULL) { - syslog(LOG_ERR, "authdes_pk_seccreate: out of memory"); - return (NULL); - } - ad = ALLOC(struct ad_private); - if (ad == NULL) { - syslog(LOG_ERR, "authdes_pk_seccreate: out of memory"); - goto failed; - } - ad->ad_fullname = ad->ad_servername = NULL; /* Sanity reasons */ - ad->ad_timehost = NULL; - ad->ad_netid = NULL; - ad->ad_uaddr = NULL; - ad->ad_nis_srvr = NULL; - ad->ad_timediff.tv_sec = 0; - ad->ad_timediff.tv_usec = 0; - memcpy(ad->ad_pkey, pkey->n_bytes, pkey->n_len); - if (!getnetname(namebuf)) - goto failed; - ad->ad_fullnamelen = RNDUP((u_int) strlen(namebuf)); - ad->ad_fullname = (char *)mem_alloc(ad->ad_fullnamelen + 1); - ad->ad_servernamelen = strlen(servername); - ad->ad_servername = (char *)mem_alloc(ad->ad_servernamelen + 1); - - if (ad->ad_fullname == NULL || ad->ad_servername == NULL) { - syslog(LOG_ERR, "authdes_seccreate: out of memory"); - goto failed; - } - if (timehost != NULL) { - ad->ad_timehost = (char *)mem_alloc(strlen(timehost) + 1); - if (ad->ad_timehost == NULL) { - syslog(LOG_ERR, "authdes_seccreate: out of memory"); - goto failed; - } - memcpy(ad->ad_timehost, timehost, strlen(timehost) + 1); - ad->ad_dosync = TRUE; - } else if (srvr != NULL) { - ad->ad_nis_srvr = srvr; /* transient */ - ad->ad_dosync = TRUE; - } else { - ad->ad_dosync = FALSE; - } - memcpy(ad->ad_fullname, namebuf, ad->ad_fullnamelen + 1); - memcpy(ad->ad_servername, servername, ad->ad_servernamelen + 1); - ad->ad_window = window; - if (ckey == NULL) { - if (key_gendes(&auth->ah_key) < 0) { - syslog(LOG_ERR, - "authdes_seccreate: keyserv(1m) is unable to generate session key"); - goto failed; - } - } else { - auth->ah_key = *ckey; - } - - /* - * Set up auth handle - */ - auth->ah_cred.oa_flavor = AUTH_DES; - auth->ah_verf.oa_flavor = AUTH_DES; - auth->ah_ops = authdes_ops(); - auth->ah_private = (caddr_t)ad; - - if (!authdes_refresh(auth, NULL)) { - goto failed; - } - ad->ad_nis_srvr = NULL; /* not needed any longer */ - return (auth); - -failed: - if (auth) - FREE(auth, sizeof (AUTH)); - if (ad) { - if (ad->ad_fullname) - FREE(ad->ad_fullname, ad->ad_fullnamelen + 1); - if (ad->ad_servername) - FREE(ad->ad_servername, ad->ad_servernamelen + 1); - if (ad->ad_timehost) - FREE(ad->ad_timehost, strlen(ad->ad_timehost) + 1); - if (ad->ad_netid) - FREE(ad->ad_netid, strlen(ad->ad_netid) + 1); - if (ad->ad_uaddr) - FREE(ad->ad_uaddr, strlen(ad->ad_uaddr) + 1); - FREE(ad, sizeof (struct ad_private)); - } return (NULL); } - -/* - * Implement the five authentication operations - */ - - -/* - * 1. Next Verifier - */ -/*ARGSUSED*/ -static void -authdes_nextverf(AUTH *auth __unused) -{ - /* what the heck am I supposed to do??? */ -} - - -/* - * 2. Marshal - */ -static bool_t -authdes_marshal(AUTH *auth, XDR *xdrs) -{ -/* LINTED pointer alignment */ - struct ad_private *ad = AUTH_PRIVATE(auth); - struct authdes_cred *cred = &ad->ad_cred; - struct authdes_verf *verf = &ad->ad_verf; - des_block cryptbuf[2]; - des_block ivec; - int status; - int len; - rpc_inline_t *ixdr; - - /* - * Figure out the "time", accounting for any time difference - * with the server if necessary. - */ - (void)gettimeofday(&ad->ad_timestamp, NULL); - ad->ad_timestamp.tv_sec += ad->ad_timediff.tv_sec; - ad->ad_timestamp.tv_usec += ad->ad_timediff.tv_usec; - while (ad->ad_timestamp.tv_usec >= USEC_PER_SEC) { - ad->ad_timestamp.tv_usec -= USEC_PER_SEC; - ad->ad_timestamp.tv_sec++; - } - - /* - * XDR the timestamp and possibly some other things, then - * encrypt them. - */ - ixdr = (rpc_inline_t *)cryptbuf; - IXDR_PUT_INT32(ixdr, ad->ad_timestamp.tv_sec); - IXDR_PUT_INT32(ixdr, ad->ad_timestamp.tv_usec); - if (ad->ad_cred.adc_namekind == ADN_FULLNAME) { - IXDR_PUT_U_INT32(ixdr, ad->ad_window); - IXDR_PUT_U_INT32(ixdr, ad->ad_window - 1); - ivec.key.high = ivec.key.low = 0; - status = cbc_crypt((char *)&auth->ah_key, (char *)cryptbuf, - (u_int) 2 * sizeof (des_block), - DES_ENCRYPT | DES_HW, (char *)&ivec); - } else { - status = ecb_crypt((char *)&auth->ah_key, (char *)cryptbuf, - (u_int) sizeof (des_block), - DES_ENCRYPT | DES_HW); - } - if (DES_FAILED(status)) { - syslog(LOG_ERR, "authdes_marshal: DES encryption failure"); - return (FALSE); - } - ad->ad_verf.adv_xtimestamp = cryptbuf[0]; - if (ad->ad_cred.adc_namekind == ADN_FULLNAME) { - ad->ad_cred.adc_fullname.window = cryptbuf[1].key.high; - ad->ad_verf.adv_winverf = cryptbuf[1].key.low; - } else { - ad->ad_cred.adc_nickname = ad->ad_nickname; - ad->ad_verf.adv_winverf = 0; - } - - /* - * Serialize the credential and verifier into opaque - * authentication data. - */ - if (ad->ad_cred.adc_namekind == ADN_FULLNAME) { - len = ((1 + 1 + 2 + 1)*BYTES_PER_XDR_UNIT + ad->ad_fullnamelen); - } else { - len = (1 + 1)*BYTES_PER_XDR_UNIT; - } - - if ((ixdr = xdr_inline(xdrs, 2*BYTES_PER_XDR_UNIT))) { - IXDR_PUT_INT32(ixdr, AUTH_DES); - IXDR_PUT_INT32(ixdr, len); - } else { - ATTEMPT(xdr_putint32(xdrs, (int *)&auth->ah_cred.oa_flavor)); - ATTEMPT(xdr_putint32(xdrs, &len)); - } - ATTEMPT(xdr_authdes_cred(xdrs, cred)); - - len = (2 + 1)*BYTES_PER_XDR_UNIT; - if ((ixdr = xdr_inline(xdrs, 2*BYTES_PER_XDR_UNIT))) { - IXDR_PUT_INT32(ixdr, AUTH_DES); - IXDR_PUT_INT32(ixdr, len); - } else { - ATTEMPT(xdr_putint32(xdrs, (int *)&auth->ah_verf.oa_flavor)); - ATTEMPT(xdr_putint32(xdrs, &len)); - } - ATTEMPT(xdr_authdes_verf(xdrs, verf)); - return (TRUE); -} - - -/* - * 3. Validate - */ -static bool_t -authdes_validate(AUTH *auth, struct opaque_auth *rverf) -{ -/* LINTED pointer alignment */ - struct ad_private *ad = AUTH_PRIVATE(auth); - struct authdes_verf verf; - int status; - uint32_t *ixdr; - des_block buf; - - if (rverf->oa_length != (2 + 1) * BYTES_PER_XDR_UNIT) { - return (FALSE); - } -/* LINTED pointer alignment */ - ixdr = (uint32_t *)rverf->oa_base; - buf.key.high = (uint32_t)*ixdr++; - buf.key.low = (uint32_t)*ixdr++; - verf.adv_int_u = (uint32_t)*ixdr++; - - /* - * Decrypt the timestamp - */ - status = ecb_crypt((char *)&auth->ah_key, (char *)&buf, - (u_int)sizeof (des_block), DES_DECRYPT | DES_HW); - - if (DES_FAILED(status)) { - syslog(LOG_ERR, "authdes_validate: DES decryption failure"); - return (FALSE); - } - - /* - * xdr the decrypted timestamp - */ -/* LINTED pointer alignment */ - ixdr = (uint32_t *)buf.c; - verf.adv_timestamp.tv_sec = IXDR_GET_INT32(ixdr) + 1; - verf.adv_timestamp.tv_usec = IXDR_GET_INT32(ixdr); - - /* - * validate - */ - if (bcmp((char *)&ad->ad_timestamp, (char *)&verf.adv_timestamp, - sizeof(struct timeval)) != 0) { - syslog(LOG_DEBUG, "authdes_validate: verifier mismatch"); - return (FALSE); - } - - /* - * We have a nickname now, let's use it - */ - ad->ad_nickname = verf.adv_nickname; - ad->ad_cred.adc_namekind = ADN_NICKNAME; - return (TRUE); -} - -/* - * 4. Refresh - */ -/*ARGSUSED*/ -static bool_t -authdes_refresh(AUTH *auth, void *dummy __unused) -{ -/* LINTED pointer alignment */ - struct ad_private *ad = AUTH_PRIVATE(auth); - struct authdes_cred *cred = &ad->ad_cred; - int ok; - netobj pkey; - - if (ad->ad_dosync) { - ok = __rpc_get_time_offset(&ad->ad_timediff, ad->ad_nis_srvr, - ad->ad_timehost, &(ad->ad_uaddr), - &(ad->ad_netid)); - if (! ok) { - /* - * Hope the clocks are synced! - */ - ad->ad_dosync = 0; - syslog(LOG_DEBUG, - "authdes_refresh: unable to synchronize clock"); - } - } - ad->ad_xkey = auth->ah_key; - pkey.n_bytes = (char *)(ad->ad_pkey); - pkey.n_len = (u_int)strlen((char *)ad->ad_pkey) + 1; - if (key_encryptsession_pk(ad->ad_servername, &pkey, &ad->ad_xkey) < 0) { - syslog(LOG_INFO, - "authdes_refresh: keyserv(1m) is unable to encrypt session key"); - return (FALSE); - } - cred->adc_fullname.key = ad->ad_xkey; - cred->adc_namekind = ADN_FULLNAME; - cred->adc_fullname.name = ad->ad_fullname; - return (TRUE); -} - - -/* - * 5. Destroy - */ -static void -authdes_destroy(AUTH *auth) -{ -/* LINTED pointer alignment */ - struct ad_private *ad = AUTH_PRIVATE(auth); - - FREE(ad->ad_fullname, ad->ad_fullnamelen + 1); - FREE(ad->ad_servername, ad->ad_servernamelen + 1); - if (ad->ad_timehost) - FREE(ad->ad_timehost, strlen(ad->ad_timehost) + 1); - if (ad->ad_netid) - FREE(ad->ad_netid, strlen(ad->ad_netid) + 1); - if (ad->ad_uaddr) - FREE(ad->ad_uaddr, strlen(ad->ad_uaddr) + 1); - FREE(ad, sizeof (struct ad_private)); - FREE(auth, sizeof(AUTH)); -} - -static struct auth_ops * -authdes_ops(void) -{ - static struct auth_ops ops; - - /* VARIABLES PROTECTED BY ops_lock: ops */ - - mutex_lock(&authdes_ops_lock); - if (ops.ah_nextverf == NULL) { - ops.ah_nextverf = authdes_nextverf; - ops.ah_marshal = authdes_marshal; - ops.ah_validate = authdes_validate; - ops.ah_refresh = authdes_refresh; - ops.ah_destroy = authdes_destroy; - } - mutex_unlock(&authdes_ops_lock); - return (&ops); -} +__sym_compat(authdes_pk_seccreate, __authdes_pk_seccreate, FBSD_1.0); diff --git a/lib/libc/rpc/authdes_prot.c b/lib/libc/rpc/authdes_prot.c --- a/lib/libc/rpc/authdes_prot.c +++ b/lib/libc/rpc/authdes_prot.c @@ -42,44 +42,16 @@ #include #include "un-namespace.h" -#define ATTEMPT(xdr_op) if (!(xdr_op)) return (FALSE) - bool_t -xdr_authdes_cred(XDR *xdrs, struct authdes_cred *cred) +__xdr_authdes_cred(XDR *xdrs, void *cred) { - enum authdes_namekind *padc_namekind = &cred->adc_namekind; - /* - * Unrolled xdr - */ - ATTEMPT(xdr_enum(xdrs, (enum_t *) padc_namekind)); - switch (cred->adc_namekind) { - case ADN_FULLNAME: - ATTEMPT(xdr_string(xdrs, &cred->adc_fullname.name, - MAXNETNAMELEN)); - ATTEMPT(xdr_opaque(xdrs, (caddr_t)&cred->adc_fullname.key, - sizeof(des_block))); - ATTEMPT(xdr_opaque(xdrs, (caddr_t)&cred->adc_fullname.window, - sizeof(cred->adc_fullname.window))); - return (TRUE); - case ADN_NICKNAME: - ATTEMPT(xdr_opaque(xdrs, (caddr_t)&cred->adc_nickname, - sizeof(cred->adc_nickname))); - return (TRUE); - default: - return (FALSE); - } + return (FALSE); } - +__sym_compat(xdr_authdes_cred, __xdr_authdes_cred, FBSD_1.0); bool_t -xdr_authdes_verf(XDR *xdrs, struct authdes_verf *verf) +xdr_authdes_verf(XDR *xdrs, void *verf) { - /* - * Unrolled xdr - */ - ATTEMPT(xdr_opaque(xdrs, (caddr_t)&verf->adv_xtimestamp, - sizeof(des_block))); - ATTEMPT(xdr_opaque(xdrs, (caddr_t)&verf->adv_int_u, - sizeof(verf->adv_int_u))); - return (TRUE); + return (FALSE); } +__sym_compat(__xdr_authdes_verf, __xdr_authdes_verf, FBSD_1.0); diff --git a/lib/libc/rpc/key_call.c b/lib/libc/rpc/key_call.c --- a/lib/libc/rpc/key_call.c +++ b/lib/libc/rpc/key_call.c @@ -32,426 +32,78 @@ */ /* - * key_call.c, Interface to keyserver - * - * setsecretkey(key) - set your secret key - * encryptsessionkey(agent, deskey) - encrypt a session key to talk to agent - * decryptsessionkey(agent, deskey) - decrypt ditto - * gendeskey(deskey) - generate a secure des key + * Secure RPC keyserver support was removed in FreeBSD 15.0. + * These symbols are provided for backward compatibility, but provide no + * functionality and will always return an error. */ #include "namespace.h" #include "reentrant.h" -#include -#include -#include -#include #include -#include -#include #include -#include -#include -#include -#include -#include -#include -#include +#include #include "un-namespace.h" #include "mt_misc.h" - -#define KEY_TIMEOUT 5 /* per-try timeout in seconds */ -#define KEY_NRETRY 12 /* number of retries */ - -#ifdef DEBUG -#define debug(msg) (void) fprintf(stderr, "%s\n", msg); -#else -#define debug(msg) -#endif /* DEBUG */ - -/* - * Hack to allow the keyserver to use AUTH_DES (for authenticated - * NIS+ calls, for example). The only functions that get called - * are key_encryptsession_pk, key_decryptsession_pk, and key_gendes. - * - * The approach is to have the keyserver fill in pointers to local - * implementations of these functions, and to call those in key_call(). - */ - -cryptkeyres *(*__key_encryptsession_pk_LOCAL)(uid_t, void *arg) = 0; -cryptkeyres *(*__key_decryptsession_pk_LOCAL)(uid_t, void *arg) = 0; -des_block *(*__key_gendes_LOCAL)(uid_t, void *) = 0; - -static int key_call( u_long, xdrproc_t, void *, xdrproc_t, void *); - int -key_setsecret(const char *secretkey) +__key_setsecret(const char *secretkey) { - keystatus status; - - if (!key_call((u_long) KEY_SET, (xdrproc_t)xdr_keybuf, - (void *)secretkey, - (xdrproc_t)xdr_keystatus, &status)) { - return (-1); - } - if (status != KEY_SUCCESS) { - debug("set status is nonzero"); - return (-1); - } - return (0); + return (-1); } - - -/* key_secretkey_is_set() returns 1 if the keyserver has a secret key - * stored for the caller's effective uid; it returns 0 otherwise - * - * N.B.: The KEY_NET_GET key call is undocumented. Applications shouldn't - * be using it, because it allows them to get the user's secret key. - */ +__sym_compat(key_setsecret, __key_setsecret, FBSD_1.0); int -key_secretkey_is_set(void) +__key_secretkey_is_set(void) { - struct key_netstres kres; - - memset((void*)&kres, 0, sizeof (kres)); - if (key_call((u_long) KEY_NET_GET, (xdrproc_t)xdr_void, NULL, - (xdrproc_t)xdr_key_netstres, &kres) && - (kres.status == KEY_SUCCESS) && - (kres.key_netstres_u.knet.st_priv_key[0] != 0)) { - /* avoid leaving secret key in memory */ - memset(kres.key_netstres_u.knet.st_priv_key, 0, HEXKEYBYTES); - return (1); - } return (0); } +__sym_compat(key_secretkey_is_set, __key_secretkey_is_set, FBSD_1.0); int -key_encryptsession_pk(char *remotename, netobj *remotekey, des_block *deskey) +__key_encryptsession_pk(char *remotename, netobj *remotekey, des_block *deskey) { - cryptkeyarg2 arg; - cryptkeyres res; - - arg.remotename = remotename; - arg.remotekey = *remotekey; - arg.deskey = *deskey; - if (!key_call((u_long)KEY_ENCRYPT_PK, (xdrproc_t)xdr_cryptkeyarg2, &arg, - (xdrproc_t)xdr_cryptkeyres, &res)) { - return (-1); - } - if (res.status != KEY_SUCCESS) { - debug("encrypt status is nonzero"); - return (-1); - } - *deskey = res.cryptkeyres_u.deskey; - return (0); + return (-1); } +__sym_compat(key_encryptsession_pk, __key_encryptsession_pk, FBSD_1.0); int -key_decryptsession_pk(char *remotename, netobj *remotekey, des_block *deskey) +__key_decryptsession_pk(char *remotename, netobj *remotekey, des_block *deskey) { - cryptkeyarg2 arg; - cryptkeyres res; - - arg.remotename = remotename; - arg.remotekey = *remotekey; - arg.deskey = *deskey; - if (!key_call((u_long)KEY_DECRYPT_PK, (xdrproc_t)xdr_cryptkeyarg2, &arg, - (xdrproc_t)xdr_cryptkeyres, &res)) { - return (-1); - } - if (res.status != KEY_SUCCESS) { - debug("decrypt status is nonzero"); - return (-1); - } - *deskey = res.cryptkeyres_u.deskey; - return (0); + return (-1); } +__sym_compat(key_decryptsession_pk, __key_decryptsession_pk, FBSD_1.0); int -key_encryptsession(const char *remotename, des_block *deskey) +__key_encryptsession(const char *remotename, des_block *deskey) { - cryptkeyarg arg; - cryptkeyres res; - - arg.remotename = (char *) remotename; - arg.deskey = *deskey; - if (!key_call((u_long)KEY_ENCRYPT, (xdrproc_t)xdr_cryptkeyarg, &arg, - (xdrproc_t)xdr_cryptkeyres, &res)) { - return (-1); - } - if (res.status != KEY_SUCCESS) { - debug("encrypt status is nonzero"); - return (-1); - } - *deskey = res.cryptkeyres_u.deskey; - return (0); + return (-1); } +__sym_compat(key_encryptsession, __key_encryptsession, FBSD_1.0); int -key_decryptsession(const char *remotename, des_block *deskey) +__key_decryptsession(const char *remotename, des_block *deskey) { - cryptkeyarg arg; - cryptkeyres res; - - arg.remotename = (char *) remotename; - arg.deskey = *deskey; - if (!key_call((u_long)KEY_DECRYPT, (xdrproc_t)xdr_cryptkeyarg, &arg, - (xdrproc_t)xdr_cryptkeyres, &res)) { - return (-1); - } - if (res.status != KEY_SUCCESS) { - debug("decrypt status is nonzero"); - return (-1); - } - *deskey = res.cryptkeyres_u.deskey; - return (0); + return (-1); } +__sym_compat(key_decryptsession, __key_decryptsession, FBSD_1.0); int -key_gendes(des_block *key) +__key_gendes(des_block *key) { - if (!key_call((u_long)KEY_GEN, (xdrproc_t)xdr_void, NULL, - (xdrproc_t)xdr_des_block, key)) { - return (-1); - } - return (0); + return (-1); } +__sym_compat(key_gendes, __key_gendes, FBSD_1.0); int -key_setnet(struct key_netstarg *arg) +__key_setnet(struct key_netstarg *arg) { - keystatus status; - - - if (!key_call((u_long) KEY_NET_PUT, (xdrproc_t)xdr_key_netstarg, arg, - (xdrproc_t)xdr_keystatus, &status)){ - return (-1); - } - - if (status != KEY_SUCCESS) { - debug("key_setnet status is nonzero"); - return (-1); - } - return (1); + return (-1); } - +__sym_compat(key_setnet, __key_setnet, FBSD_1.0); int -key_get_conv(char *pkey, des_block *deskey) +__key_get_conv(char *pkey, des_block *deskey) { - cryptkeyres res; - - if (!key_call((u_long) KEY_GET_CONV, (xdrproc_t)xdr_keybuf, pkey, - (xdrproc_t)xdr_cryptkeyres, &res)) { - return (-1); - } - if (res.status != KEY_SUCCESS) { - debug("get_conv status is nonzero"); - return (-1); - } - *deskey = res.cryptkeyres_u.deskey; - return (0); -} - -struct key_call_private { - CLIENT *client; /* Client handle */ - pid_t pid; /* process-id at moment of creation */ - uid_t uid; /* user-id at last authorization */ -}; -static struct key_call_private *key_call_private_main = NULL; -static thread_key_t key_call_key; -static once_t key_call_once = ONCE_INITIALIZER; -static int key_call_key_error; - -static void -key_call_destroy(void *vp) -{ - struct key_call_private *kcp = (struct key_call_private *)vp; - - if (kcp) { - if (kcp->client) - clnt_destroy(kcp->client); - free(kcp); - } -} - -static void -key_call_init(void) -{ - - key_call_key_error = thr_keycreate(&key_call_key, key_call_destroy); -} - -/* - * Keep the handle cached. This call may be made quite often. - */ -static CLIENT * -getkeyserv_handle(int vers) -{ - void *localhandle; - struct netconfig *nconf; - struct netconfig *tpconf; - struct key_call_private *kcp; - struct timeval wait_time; - struct utsname u; - int main_thread; - int fd; - -#define TOTAL_TIMEOUT 30 /* total timeout talking to keyserver */ -#define TOTAL_TRIES 5 /* Number of tries */ - - if ((main_thread = thr_main())) { - kcp = key_call_private_main; - } else { - if (thr_once(&key_call_once, key_call_init) != 0 || - key_call_key_error != 0) - return ((CLIENT *) NULL); - kcp = (struct key_call_private *)thr_getspecific(key_call_key); - } - if (kcp == (struct key_call_private *)NULL) { - kcp = (struct key_call_private *)malloc(sizeof (*kcp)); - if (kcp == (struct key_call_private *)NULL) { - return ((CLIENT *) NULL); - } - if (main_thread) - key_call_private_main = kcp; - else - thr_setspecific(key_call_key, (void *) kcp); - kcp->client = NULL; - } - - /* if pid has changed, destroy client and rebuild */ - if (kcp->client != NULL && kcp->pid != getpid()) { - clnt_destroy(kcp->client); - kcp->client = NULL; - } - - if (kcp->client != NULL) { - /* if uid has changed, build client handle again */ - if (kcp->uid != geteuid()) { - kcp->uid = geteuid(); - auth_destroy(kcp->client->cl_auth); - kcp->client->cl_auth = - authsys_create("", kcp->uid, 0, 0, NULL); - if (kcp->client->cl_auth == NULL) { - clnt_destroy(kcp->client); - kcp->client = NULL; - return ((CLIENT *) NULL); - } - } - /* Change the version number to the new one */ - clnt_control(kcp->client, CLSET_VERS, (void *)&vers); - return (kcp->client); - } - if (!(localhandle = setnetconfig())) { - return ((CLIENT *) NULL); - } - tpconf = NULL; -#if defined(__FreeBSD__) - if (uname(&u) == -1) -#else -#if defined(i386) - if (_nuname(&u) == -1) -#elif defined(sparc) - if (_uname(&u) == -1) -#else -#error Unknown architecture! -#endif -#endif - { - endnetconfig(localhandle); - return ((CLIENT *) NULL); - } - while ((nconf = getnetconfig(localhandle)) != NULL) { - if (strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0) { - /* - * We use COTS_ORD here so that the caller can - * find out immediately if the server is dead. - */ - if (nconf->nc_semantics == NC_TPI_COTS_ORD) { - kcp->client = clnt_tp_create(u.nodename, - KEY_PROG, vers, nconf); - if (kcp->client) - break; - } else { - tpconf = nconf; - } - } - } - if ((kcp->client == (CLIENT *) NULL) && (tpconf)) - /* Now, try the CLTS or COTS loopback transport */ - kcp->client = clnt_tp_create(u.nodename, - KEY_PROG, vers, tpconf); - endnetconfig(localhandle); - - if (kcp->client == (CLIENT *) NULL) { - return ((CLIENT *) NULL); - } - kcp->uid = geteuid(); - kcp->pid = getpid(); - kcp->client->cl_auth = authsys_create("", kcp->uid, 0, 0, NULL); - if (kcp->client->cl_auth == NULL) { - clnt_destroy(kcp->client); - kcp->client = NULL; - return ((CLIENT *) NULL); - } - - wait_time.tv_sec = TOTAL_TIMEOUT/TOTAL_TRIES; - wait_time.tv_usec = 0; - (void) clnt_control(kcp->client, CLSET_RETRY_TIMEOUT, - (char *)&wait_time); - if (clnt_control(kcp->client, CLGET_FD, (char *)&fd)) - _fcntl(fd, F_SETFD, 1); /* make it "close on exec" */ - - return (kcp->client); -} - -/* returns 0 on failure, 1 on success */ - -static int -key_call(u_long proc, xdrproc_t xdr_arg, void *arg, xdrproc_t xdr_rslt, - void *rslt) -{ - CLIENT *clnt; - struct timeval wait_time; - - if (proc == KEY_ENCRYPT_PK && __key_encryptsession_pk_LOCAL) { - cryptkeyres *res; - res = (*__key_encryptsession_pk_LOCAL)(geteuid(), arg); - *(cryptkeyres*)rslt = *res; - return (1); - } else if (proc == KEY_DECRYPT_PK && __key_decryptsession_pk_LOCAL) { - cryptkeyres *res; - res = (*__key_decryptsession_pk_LOCAL)(geteuid(), arg); - *(cryptkeyres*)rslt = *res; - return (1); - } else if (proc == KEY_GEN && __key_gendes_LOCAL) { - des_block *res; - res = (*__key_gendes_LOCAL)(geteuid(), 0); - *(des_block*)rslt = *res; - return (1); - } - - if ((proc == KEY_ENCRYPT_PK) || (proc == KEY_DECRYPT_PK) || - (proc == KEY_NET_GET) || (proc == KEY_NET_PUT) || - (proc == KEY_GET_CONV)) - clnt = getkeyserv_handle(2); /* talk to version 2 */ - else - clnt = getkeyserv_handle(1); /* talk to version 1 */ - - if (clnt == NULL) { - return (0); - } - - wait_time.tv_sec = TOTAL_TIMEOUT; - wait_time.tv_usec = 0; - - if (clnt_call(clnt, proc, xdr_arg, arg, xdr_rslt, rslt, - wait_time) == RPC_SUCCESS) { - return (1); - } else { - return (0); - } + return (-1); } +__sym_compat(key_get_conv, __key_get_conv, FBSD_1.0); diff --git a/lib/libc/rpc/publickey.5 b/lib/libc/rpc/publickey.5 deleted file mode 100644 --- a/lib/libc/rpc/publickey.5 +++ /dev/null @@ -1,40 +0,0 @@ -.Dd October 19, 1987 -.Dt PUBLICKEY 5 -.Os -.Sh NAME -.Nm publickey -.Nd "public key database" -.Sh SYNOPSIS -.Pa /etc/publickey -.Sh DESCRIPTION -.Pa /etc/publickey -is the public key database used for secure -RPC (Remote Procedure Calls). -Each entry in -the database consists of a network user -name (which may either refer to -a user or a hostname), followed by the user's -public key (in hex -notation), a colon, and then the user's -secret key encrypted with -its login password (also in hex notation). -.Pp -This file is altered either by the user through the -.Xr chkey 1 -command or by the system administrator through the -.Xr newkey 8 -command. -The file -.Pa /etc/publickey -should only contain data on the -.Tn NIS -master machine, where it -is converted into the -.Tn NIS -database -.Pa publickey.byname . -.Sh SEE ALSO -.Xr chkey 1 , -.Xr publickey 3 , -.Xr newkey 8 , -.Xr ypupdated 8 diff --git a/lib/libc/rpc/rpc_secure.3 b/lib/libc/rpc/rpc_secure.3 --- a/lib/libc/rpc/rpc_secure.3 +++ b/lib/libc/rpc/rpc_secure.3 @@ -1,34 +1,17 @@ .\" -.Dd February 16, 1988 -.Dt RPC 3 +.Dd May 21, 2025 +.Dt RPC_SECURE 3 .Os .Sh NAME .Nm rpc_secure .Nd library routines for secure remote procedure calls .Sh SYNOPSIS .In rpc/rpc.h -.Ft AUTH * -.Fo authdes_create -.Fa "char *name" -.Fa "unsigned window" -.Fa "struct sockaddr *addr" -.Fa "des_block *ckey" -.Fc -.Ft int -.Fn authdes_getucred "struct authdes_cred *adc" "uid_t *uid" "gid_t *gid" "int *grouplen" "gid_t *groups" .Ft int .Fn getnetname "char *name" .Ft int .Fn host2netname "char *name" "const char *host" "const char *domain" .Ft int -.Fn key_decryptsession "const char *remotename" "des_block *deskey" -.Ft int -.Fn key_encryptsession "const char *remotename" "des_block *deskey" -.Ft int -.Fn key_gendes "des_block *deskey" -.Ft int -.Fn key_setsecret "const char *key" -.Ft int .Fn netname2host "char *name" "char *host" "int hostlen" .Ft int .Fn netname2user "char *name" "uid_t *uidp" "gid_t *gidp" "int *gidlenp" "gid_t *gidlist" @@ -38,101 +21,11 @@ These routines are part of the .Tn RPC library. -They implement -.Tn DES -Authentication. See .Xr rpc 3 for further details about .Tn RPC . .Pp -The -.Fn authdes_create -is the first of two routines which interface to the -.Tn RPC -secure authentication system, known as -.Tn DES -authentication. -The second is -.Fn authdes_getucred , -below. -.Pp -Note: the keyserver daemon -.Xr keyserv 8 -must be running for the -.Tn DES -authentication system to work. -.Pp -The -.Fn authdes_create -function, -used on the client side, returns an authentication handle that -will enable the use of the secure authentication system. -The first argument -.Fa name -is the network name, or -.Fa netname , -of the owner of the server process. -This field usually -represents a -.Fa hostname -derived from the utility routine -.Fn host2netname , -but could also represent a user name using -.Fn user2netname . -The second field is window on the validity of -the client credential, given in seconds. -A small -window is more secure than a large one, but choosing -too small of a window will increase the frequency of -resynchronizations because of clock drift. -The third -argument -.Fa addr -is optional. -If it is -.Dv NULL , -then the authentication system will assume -that the local clock is always in sync with the server's -clock, and will not attempt resynchronizations. -If an address -is supplied, however, then the system will use the address -for consulting the remote time service whenever -resynchronization -is required. -This argument is usually the -address of the -.Tn RPC -server itself. -The final argument -.Fa ckey -is also optional. -If it is -.Dv NULL , -then the authentication system will -generate a random -.Tn DES -key to be used for the encryption of credentials. -If it is supplied, however, then it will be used instead. -.Pp -The -.Fn authdes_getucred -function, -the second of the two -.Tn DES -authentication routines, -is used on the server side for converting a -.Tn DES -credential, which is -operating system independent, into a -.Ux -credential. -This routine differs from utility routine -.Fn netname2user -in that -.Fn authdes_getucred -pulls its information from a cache, and does not have to do a -Yellow Pages lookup every time it is called to get its information. .Pp The .Fn getnetname @@ -161,72 +54,6 @@ .Fn netname2host . .Pp The -.Fn key_decryptsession -function -is an interface to the keyserver daemon, which is associated -with -.Tn RPC Ns 's -secure authentication system -.Tn ( DES -authentication). -User programs rarely need to call it, or its associated routines -.Fn key_encryptsession , -.Fn key_gendes -and -.Fn key_setsecret . -System commands such as -.Xr login 1 -and the -.Tn RPC -library are the main clients of these four routines. -.Pp -The -.Fn key_decryptsession -function -takes a server netname and a -.Tn DES -key, and decrypts the key by -using the public key of the server and the secret key -associated with the effective uid of the calling process. -It -is the inverse of -.Fn key_encryptsession . -.Pp -The -.Fn key_encryptsession -function -is a keyserver interface routine. -It -takes a server netname and a des key, and encrypts -it using the public key of the server and the secret key -associated with the effective uid of the calling process. -It -is the inverse of -.Fn key_decryptsession . -.Pp -The -.Fn key_gendes -function -is a keyserver interface routine. -It -is used to ask the keyserver for a secure conversation key. -Choosing one -.Qq random -is usually not good enough, -because -the common ways of choosing random numbers, such as using the -current time, are very easy to guess. -.Pp -The -.Fn key_setsecret -function -is a keyserver interface routine. -It is used to set the key for -the effective -.Fa uid -of the calling process. -.Pp -The .Fn netname2host function converts from an operating-system independent netname to a diff --git a/lib/libc/rpc/rpc_soc.3 b/lib/libc/rpc/rpc_soc.3 --- a/lib/libc/rpc/rpc_soc.3 +++ b/lib/libc/rpc/rpc_soc.3 @@ -1,6 +1,6 @@ .\" $NetBSD: rpc_soc.3,v 1.2 2000/06/07 13:39:43 simonb Exp $ .\" -.Dd February 16, 1988 +.Dd May 23, 2025 .Dt RPC_SOC 3 .Os .Sh NAME @@ -100,16 +100,6 @@ reply. Finally, the procedure call returns to the client. .Pp -Routines that are used for Secure -.Tn RPC ( DES -authentication) are described in -.Xr rpc_secure 3 . -Secure -.Tn RPC -can be used only if -.Tn DES -encryption is available. -.Pp .Bl -tag -width indent -compact .It Xo .Ft void @@ -1701,7 +1691,6 @@ Service implementors usually do not need this routine. .El .Sh SEE ALSO -.Xr rpc_secure 3 , .Xr xdr 3 .Rs .%T "Remote Procedure Calls: Protocol Specification" diff --git a/lib/libc/rpc/rpc_soc.c b/lib/libc/rpc/rpc_soc.c --- a/lib/libc/rpc/rpc_soc.c +++ b/lib/libc/rpc/rpc_soc.c @@ -380,35 +380,12 @@ * authdes_seccreate(). */ AUTH * -authdes_create(char *servername, u_int window, struct sockaddr *syncaddr, +__authdes_create(char *servername, u_int window, struct sockaddr *syncaddr, des_block *ckey) -/* - * char *servername; // network name of server - * u_int window; // time to live - * struct sockaddr *syncaddr; // optional hostaddr to sync with - * des_block *ckey; // optional conversation key to use - */ { - AUTH *dummy; - AUTH *nauth; - char hostname[NI_MAXHOST]; - - if (syncaddr) { - /* - * Change addr to hostname, because that is the way - * new interface takes it. - */ - if (getnameinfo(syncaddr, syncaddr->sa_len, hostname, - sizeof hostname, NULL, 0, 0) != 0) - goto fallback; - - nauth = authdes_seccreate(servername, window, hostname, ckey); - return (nauth); - } -fallback: - dummy = authdes_seccreate(servername, window, NULL, ckey); - return (dummy); + return (NULL); } +__sym_compat(authdes_create, __authdes_create, FBSD_1.0); /* * Create a client handle for a unix connection. Obsoleted by clnt_vc_create() diff --git a/lib/libc/rpc/svc_auth.c b/lib/libc/rpc/svc_auth.c --- a/lib/libc/rpc/svc_auth.c +++ b/lib/libc/rpc/svc_auth.c @@ -114,11 +114,6 @@ case AUTH_SHORT: dummy = _svcauth_short(rqst, msg); return (dummy); -#ifdef DES_BUILTIN - case AUTH_DES: - dummy = _svcauth_des(rqst, msg); - return (dummy); -#endif default: break; } @@ -186,9 +181,6 @@ case AUTH_NULL: case AUTH_SYS: case AUTH_SHORT: -#ifdef DES_BUILTIN - case AUTH_DES: -#endif /* already registered */ return (1); diff --git a/lib/libc/rpc/svc_auth_des.c b/lib/libc/rpc/svc_auth_des.c --- a/lib/libc/rpc/svc_auth_des.c +++ b/lib/libc/rpc/svc_auth_des.c @@ -34,17 +34,8 @@ */ /* - * svcauth_des.c, server-side des authentication - * - * We insure for the service the following: - * (1) The timestamp microseconds do not exceed 1 million. - * (2) The timestamp plus the window is less than the current time. - * (3) The timestamp is not less than the one previously - * seen in the current session. - * - * It is up to the server to determine if the window size is - * too small . - * + * svcauth_des.c, server-side des authentication. + * This functionality was removed in FreeBSD 15.0. */ #include "namespace.h" @@ -65,385 +56,17 @@ #include #include "libc_private.h" -extern int key_decryptsession_pk(const char *, netobj *, des_block *); - -#define debug(msg) printf("svcauth_des: %s\n", msg) - -#define USEC_PER_SEC ((u_long) 1000000L) -#define BEFORE(t1, t2) timercmp(t1, t2, <) - -/* - * LRU cache of conversation keys and some other useful items. - */ -#define AUTHDES_CACHESZ 64 -struct cache_entry { - des_block key; /* conversation key */ - char *rname; /* client's name */ - u_int window; /* credential lifetime window */ - struct timeval laststamp; /* detect replays of creds */ - char *localcred; /* generic local credential */ -}; -static struct cache_entry *authdes_cache/* [AUTHDES_CACHESZ] */; -static short *authdes_lru/* [AUTHDES_CACHESZ] */; - -static void cache_init(void); /* initialize the cache */ -static short cache_spot(des_block *, char *, struct timeval *); /* find an entry in the cache */ -static void cache_ref(short sid); /* note that sid was ref'd */ - -static void invalidate(char *); /* invalidate entry in cache */ - -/* - * cache statistics - */ -static struct { - u_long ncachehits; /* times cache hit, and is not replay */ - u_long ncachereplays; /* times cache hit, and is replay */ - u_long ncachemisses; /* times cache missed */ -} svcauthdes_stats; - /* * Service side authenticator for AUTH_DES */ enum auth_stat -_svcauth_des(struct svc_req *rqst, struct rpc_msg *msg) +__svcauth_des(struct svc_req *rqst, struct rpc_msg *msg) { - - long *ixdr; - des_block cryptbuf[2]; - struct authdes_cred *cred; - struct authdes_verf verf; - int status; - struct cache_entry *entry; - short sid = 0; - des_block *sessionkey; - des_block ivec; - u_int window; - struct timeval timestamp; - u_long namelen; - struct area { - struct authdes_cred area_cred; - char area_netname[MAXNETNAMELEN+1]; - } *area; - - if (authdes_cache == NULL) { - cache_init(); - } - - area = (struct area *)rqst->rq_clntcred; - cred = (struct authdes_cred *)&area->area_cred; - - /* - * Get the credential - */ - ixdr = (long *)msg->rm_call.cb_cred.oa_base; - cred->adc_namekind = IXDR_GET_ENUM(ixdr, enum authdes_namekind); - switch (cred->adc_namekind) { - case ADN_FULLNAME: - namelen = IXDR_GET_U_LONG(ixdr); - if (namelen > MAXNETNAMELEN) { - return (AUTH_BADCRED); - } - cred->adc_fullname.name = area->area_netname; - bcopy((char *)ixdr, cred->adc_fullname.name, - (u_int)namelen); - cred->adc_fullname.name[namelen] = 0; - ixdr += (RNDUP(namelen) / BYTES_PER_XDR_UNIT); - cred->adc_fullname.key.key.high = (u_long)*ixdr++; - cred->adc_fullname.key.key.low = (u_long)*ixdr++; - cred->adc_fullname.window = (u_long)*ixdr++; - break; - case ADN_NICKNAME: - cred->adc_nickname = (u_long)*ixdr++; - break; - default: - return (AUTH_BADCRED); - } - - /* - * Get the verifier - */ - ixdr = (long *)msg->rm_call.cb_verf.oa_base; - verf.adv_xtimestamp.key.high = (u_long)*ixdr++; - verf.adv_xtimestamp.key.low = (u_long)*ixdr++; - verf.adv_int_u = (u_long)*ixdr++; - - - /* - * Get the conversation key - */ - if (cred->adc_namekind == ADN_FULLNAME) { - netobj pkey; - char pkey_data[1024]; - - sessionkey = &cred->adc_fullname.key; - if (! getpublickey(cred->adc_fullname.name, pkey_data)) { - debug("getpublickey"); - return(AUTH_BADCRED); - } - pkey.n_bytes = pkey_data; - pkey.n_len = strlen(pkey_data) + 1; - if (key_decryptsession_pk(cred->adc_fullname.name, &pkey, - sessionkey) < 0) { - debug("decryptsessionkey"); - return (AUTH_BADCRED); /* key not found */ - } - } else { /* ADN_NICKNAME */ - sid = (short)cred->adc_nickname; - if (sid < 0 || sid >= AUTHDES_CACHESZ) { - debug("bad nickname"); - return (AUTH_BADCRED); /* garbled credential */ - } - sessionkey = &authdes_cache[sid].key; - } - - - /* - * Decrypt the timestamp - */ - cryptbuf[0] = verf.adv_xtimestamp; - if (cred->adc_namekind == ADN_FULLNAME) { - cryptbuf[1].key.high = cred->adc_fullname.window; - cryptbuf[1].key.low = verf.adv_winverf; - ivec.key.high = ivec.key.low = 0; - status = cbc_crypt((char *)sessionkey, (char *)cryptbuf, - 2*sizeof(des_block), DES_DECRYPT | DES_HW, - (char *)&ivec); - } else { - status = ecb_crypt((char *)sessionkey, (char *)cryptbuf, - sizeof(des_block), DES_DECRYPT | DES_HW); - } - if (DES_FAILED(status)) { - debug("decryption failure"); - return (AUTH_FAILED); /* system error */ - } - - /* - * XDR the decrypted timestamp - */ - ixdr = (long *)cryptbuf; - timestamp.tv_sec = IXDR_GET_LONG(ixdr); - timestamp.tv_usec = IXDR_GET_LONG(ixdr); - - /* - * Check for valid credentials and verifiers. - * They could be invalid because the key was flushed - * out of the cache, and so a new session should begin. - * Be sure and send AUTH_REJECTED{CRED, VERF} if this is the case. - */ - { - struct timeval current; - int nick; - int winverf; - - if (cred->adc_namekind == ADN_FULLNAME) { - window = IXDR_GET_U_LONG(ixdr); - winverf = IXDR_GET_U_LONG(ixdr); - if (winverf != window - 1) { - debug("window verifier mismatch"); - return (AUTH_BADCRED); /* garbled credential */ - } - sid = cache_spot(sessionkey, cred->adc_fullname.name, - ×tamp); - if (sid < 0) { - debug("replayed credential"); - return (AUTH_REJECTEDCRED); /* replay */ - } - nick = 0; - } else { /* ADN_NICKNAME */ - window = authdes_cache[sid].window; - nick = 1; - } - - if ((u_long)timestamp.tv_usec >= USEC_PER_SEC) { - debug("invalid usecs"); - /* cached out (bad key), or garbled verifier */ - return (nick ? AUTH_REJECTEDVERF : AUTH_BADVERF); - } - if (nick && BEFORE(×tamp, - &authdes_cache[sid].laststamp)) { - debug("timestamp before last seen"); - return (AUTH_REJECTEDVERF); /* replay */ - } - (void)gettimeofday(¤t, NULL); - current.tv_sec -= window; /* allow for expiration */ - if (!BEFORE(¤t, ×tamp)) { - debug("timestamp expired"); - /* replay, or garbled credential */ - return (nick ? AUTH_REJECTEDVERF : AUTH_BADCRED); - } - } - - /* - * Set up the reply verifier - */ - verf.adv_nickname = (u_long)sid; - - /* - * xdr the timestamp before encrypting - */ - ixdr = (long *)cryptbuf; - IXDR_PUT_LONG(ixdr, timestamp.tv_sec - 1); - IXDR_PUT_LONG(ixdr, timestamp.tv_usec); - - /* - * encrypt the timestamp - */ - status = ecb_crypt((char *)sessionkey, (char *)cryptbuf, - sizeof(des_block), DES_ENCRYPT | DES_HW); - if (DES_FAILED(status)) { - debug("encryption failure"); - return (AUTH_FAILED); /* system error */ - } - verf.adv_xtimestamp = cryptbuf[0]; - - /* - * Serialize the reply verifier, and update rqst - */ - ixdr = (long *)msg->rm_call.cb_verf.oa_base; - *ixdr++ = (long)verf.adv_xtimestamp.key.high; - *ixdr++ = (long)verf.adv_xtimestamp.key.low; - *ixdr++ = (long)verf.adv_int_u; - - rqst->rq_xprt->xp_verf.oa_flavor = AUTH_DES; - rqst->rq_xprt->xp_verf.oa_base = msg->rm_call.cb_verf.oa_base; - rqst->rq_xprt->xp_verf.oa_length = - (char *)ixdr - msg->rm_call.cb_verf.oa_base; - - /* - * We succeeded, commit the data to the cache now and - * finish cooking the credential. - */ - entry = &authdes_cache[sid]; - entry->laststamp = timestamp; - cache_ref(sid); - if (cred->adc_namekind == ADN_FULLNAME) { - cred->adc_fullname.window = window; - cred->adc_nickname = (u_long)sid; /* save nickname */ - if (entry->rname != NULL) { - mem_free(entry->rname, strlen(entry->rname) + 1); - } - entry->rname = (char *)mem_alloc((u_int)strlen(cred->adc_fullname.name) - + 1); - if (entry->rname != NULL) { - (void) strcpy(entry->rname, cred->adc_fullname.name); - } else { - debug("out of memory"); - } - entry->key = *sessionkey; - entry->window = window; - invalidate(entry->localcred); /* mark any cached cred invalid */ - } else { /* ADN_NICKNAME */ - /* - * nicknames are cooked into fullnames - */ - cred->adc_namekind = ADN_FULLNAME; - cred->adc_fullname.name = entry->rname; - cred->adc_fullname.key = entry->key; - cred->adc_fullname.window = entry->window; - } - return (AUTH_OK); /* we made it!*/ + return (AUTH_FAILED); } +__sym_compat(_svcauth_des, __svcauth_des, FBSD_1.0); -/* - * Initialize the cache - */ -static void -cache_init(void) -{ - int i; - - authdes_cache = (struct cache_entry *) - mem_alloc(sizeof(struct cache_entry) * AUTHDES_CACHESZ); - bzero((char *)authdes_cache, - sizeof(struct cache_entry) * AUTHDES_CACHESZ); - - authdes_lru = (short *)mem_alloc(sizeof(short) * AUTHDES_CACHESZ); - /* - * Initialize the lru list - */ - for (i = 0; i < AUTHDES_CACHESZ; i++) { - authdes_lru[i] = i; - } -} - - -/* - * Find the lru victim - */ -static short -cache_victim(void) -{ - return (authdes_lru[AUTHDES_CACHESZ-1]); -} - -/* - * Note that sid was referenced - */ -static void -cache_ref(short sid) -{ - int i; - short curr; - short prev; - - prev = authdes_lru[0]; - authdes_lru[0] = sid; - for (i = 1; prev != sid; i++) { - curr = authdes_lru[i]; - authdes_lru[i] = prev; - prev = curr; - } -} - - -/* - * Find a spot in the cache for a credential containing - * the items given. Return -1 if a replay is detected, otherwise - * return the spot in the cache. - */ -static short -cache_spot(des_block *key, char *name, struct timeval *timestamp) -{ - struct cache_entry *cp; - int i; - u_long hi; - - hi = key->key.high; - for (cp = authdes_cache, i = 0; i < AUTHDES_CACHESZ; i++, cp++) { - if (cp->key.key.high == hi && - cp->key.key.low == key->key.low && - cp->rname != NULL && - bcmp(cp->rname, name, strlen(name) + 1) == 0) { - if (BEFORE(timestamp, &cp->laststamp)) { - svcauthdes_stats.ncachereplays++; - return (-1); /* replay */ - } - svcauthdes_stats.ncachehits++; - return (i); /* refresh */ - } - } - svcauthdes_stats.ncachemisses++; - return (cache_victim()); /* new credential */ -} - - -#if (defined(sun) || defined(vax) || defined(__FreeBSD__)) -/* - * Local credential handling stuff. - * NOTE: bsd unix dependent. - * Other operating systems should put something else here. - */ -#define UNKNOWN -2 /* grouplen, if cached cred is unknown user */ -#define INVALID -1 /* grouplen, if cache entry is invalid */ - -struct bsdcred { - uid_t uid; /* cached uid */ - gid_t gid; /* cached gid */ - int grouplen; /* length of cached groups */ - gid_t groups[NGRPS]; /* cached groups */ -}; - /* * Map a des credential into a unix cred. * We cache the credential here so the application does @@ -451,72 +74,9 @@ * the credential. */ int -authdes_getucred(struct authdes_cred *adc, uid_t *uid, gid_t *gid, +__authdes_getucred(void *adc, uid_t *uid, gid_t *gid, int *grouplen, gid_t *groups) { - unsigned sid; - int i; - uid_t i_uid; - gid_t i_gid; - int i_grouplen; - struct bsdcred *cred; - - sid = adc->adc_nickname; - if (sid >= AUTHDES_CACHESZ) { - debug("invalid nickname"); - return (0); - } - cred = (struct bsdcred *)authdes_cache[sid].localcred; - if (cred == NULL) { - cred = (struct bsdcred *)mem_alloc(sizeof(struct bsdcred)); - authdes_cache[sid].localcred = (char *)cred; - cred->grouplen = INVALID; - } - if (cred->grouplen == INVALID) { - /* - * not in cache: lookup - */ - if (!netname2user(adc->adc_fullname.name, &i_uid, &i_gid, - &i_grouplen, groups)) - { - debug("unknown netname"); - cred->grouplen = UNKNOWN; /* mark as lookup up, but not found */ - return (0); - } - debug("missed ucred cache"); - *uid = cred->uid = i_uid; - *gid = cred->gid = i_gid; - *grouplen = cred->grouplen = i_grouplen; - for (i = i_grouplen - 1; i >= 0; i--) { - cred->groups[i] = groups[i]; /* int to short */ - } - return (1); - } else if (cred->grouplen == UNKNOWN) { - /* - * Already lookup up, but no match found - */ - return (0); - } - - /* - * cached credentials - */ - *uid = cred->uid; - *gid = cred->gid; - *grouplen = cred->grouplen; - for (i = cred->grouplen - 1; i >= 0; i--) { - groups[i] = cred->groups[i]; /* short to int */ - } - return (1); -} - -static void -invalidate(char *cred) -{ - if (cred == NULL) { - return; - } - ((struct bsdcred *)cred)->grouplen = INVALID; + return (0); } -#endif - +__sym_compat(authdes_getucred, __authdes_getucred, FBSD_1.0); diff --git a/lib/librpcsvc/Makefile b/lib/librpcsvc/Makefile --- a/lib/librpcsvc/Makefile +++ b/lib/librpcsvc/Makefile @@ -14,7 +14,7 @@ SECRPCSRCS= secretkey.c xcrypt.c .if ${MK_NIS} != "no" -OTHERSRCS+= yp_passwd.c yp_update.c +OTHERSRCS+= yp_passwd.c .endif RPCCOM= RPCGEN_CPP=${CPP:Q} rpcgen -C diff --git a/lib/librpcsvc/yp_update.c b/lib/librpcsvc/yp_update.c deleted file mode 100644 --- a/lib/librpcsvc/yp_update.c +++ /dev/null @@ -1,199 +0,0 @@ -/*- - * SPDX-License-Identifier: BSD-4-Clause - * - * Copyright (c) 1995, 1996 - * Bill Paul . All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Bill Paul. - * 4. Neither the name of the author nor the names of any co-contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * ypupdate client-side library function. - * - * Written by Bill Paul - * Center for Telecommunications Research - * Columbia University, New York City - */ - -#include -#include -#include -#include -#include -#include -#include - -#ifndef WINDOW -#define WINDOW (60*60) -#endif - -#ifndef TIMEOUT -#define TIMEOUT 300 -#endif - -int -yp_update(char *domain, char *map, unsigned int ypop, char *key, int keylen, - char *data, int datalen) -{ - char *master; - int rval; - unsigned int res; - struct ypupdate_args upargs; - struct ypdelete_args delargs; - CLIENT *clnt; - char netname[MAXNETNAMELEN+1]; - des_block des_key; - struct timeval timeout; - - /* Get the master server name for 'domain.' */ - if ((rval = yp_master(domain, map, &master))) - return(rval); - - /* Check that ypupdated is running there. */ - if (getrpcport(master, YPU_PROG, YPU_VERS, ypop)) - return(YPERR_DOMAIN); - - /* Get a handle. */ - if ((clnt = clnt_create(master, YPU_PROG, YPU_VERS, "tcp")) == NULL) - return(YPERR_RPC); - - /* - * Assemble netname of server. - * NOTE: It's difficult to discern from the documentation, but - * when you make a Secure RPC call, the netname you pass should - * be the netname of the guy on the other side, not your own - * netname. This is how the client side knows what public key - * to use for the initial exchange. Passing your own netname - * only works if the server on the other side is running under - * your UID. - */ - if (!host2netname(netname, master, domain)) { - clnt_destroy(clnt); - return(YPERR_BADARGS); - } - - /* Make up a DES session key. */ - key_gendes(&des_key); - - /* Set up DES authentication. */ - if ((clnt->cl_auth = (AUTH *)authdes_create(netname, WINDOW, NULL, - &des_key)) == NULL) { - clnt_destroy(clnt); - return(YPERR_RESRC); - } - - /* Set a timeout for clnt_call(). */ - timeout.tv_usec = 0; - timeout.tv_sec = TIMEOUT; - - /* - * Make the call. Note that we use clnt_call() here rather than - * the rpcgen-erated client stubs. We could use those stubs, but - * then we'd have to do some gymnastics to get at the error - * information to figure out what error code to send back to the - * caller. With clnt_call(), we get the error status returned to - * us right away, and we only have to exert a small amount of - * extra effort. - */ - switch (ypop) { - case YPOP_CHANGE: - upargs.mapname = map; - upargs.key.yp_buf_len = keylen; - upargs.key.yp_buf_val = key; - upargs.datum.yp_buf_len = datalen; - upargs.datum.yp_buf_val = data; - - if ((rval = clnt_call(clnt, YPU_CHANGE, - (xdrproc_t)xdr_ypupdate_args, &upargs, - (xdrproc_t)xdr_u_int, &res, timeout)) != RPC_SUCCESS) { - if (rval == RPC_AUTHERROR) - res = YPERR_ACCESS; - else - res = YPERR_RPC; - } - - break; - case YPOP_INSERT: - upargs.mapname = map; - upargs.key.yp_buf_len = keylen; - upargs.key.yp_buf_val = key; - upargs.datum.yp_buf_len = datalen; - upargs.datum.yp_buf_val = data; - - if ((rval = clnt_call(clnt, YPU_INSERT, - (xdrproc_t)xdr_ypupdate_args, &upargs, - (xdrproc_t)xdr_u_int, &res, timeout)) != RPC_SUCCESS) { - if (rval == RPC_AUTHERROR) - res = YPERR_ACCESS; - else - res = YPERR_RPC; - } - - break; - case YPOP_DELETE: - delargs.mapname = map; - delargs.key.yp_buf_len = keylen; - delargs.key.yp_buf_val = key; - - if ((rval = clnt_call(clnt, YPU_DELETE, - (xdrproc_t)xdr_ypdelete_args, &delargs, - (xdrproc_t)xdr_u_int, &res, timeout)) != RPC_SUCCESS) { - if (rval == RPC_AUTHERROR) - res = YPERR_ACCESS; - else - res = YPERR_RPC; - } - - break; - case YPOP_STORE: - upargs.mapname = map; - upargs.key.yp_buf_len = keylen; - upargs.key.yp_buf_val = key; - upargs.datum.yp_buf_len = datalen; - upargs.datum.yp_buf_val = data; - - if ((rval = clnt_call(clnt, YPU_STORE, - (xdrproc_t)xdr_ypupdate_args, &upargs, - (xdrproc_t)xdr_u_int, &res, timeout)) != RPC_SUCCESS) { - if (rval == RPC_AUTHERROR) - res = YPERR_ACCESS; - else - res = YPERR_RPC; - } - - break; - default: - res = YPERR_BADARGS; - break; - } - - /* All done: tear down the connection. */ - auth_destroy(clnt->cl_auth); - clnt_destroy(clnt); - free(master); - - return(res); -} diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf --- a/libexec/rc/rc.conf +++ b/libexec/rc/rc.conf @@ -395,7 +395,6 @@ rpcbind_enable="NO" # Run the portmapper service (YES/NO). rpcbind_program="/usr/sbin/rpcbind" # path to rpcbind, if you want a different one. rpcbind_flags="" # Flags to rpcbind (if enabled). -rpc_ypupdated_enable="NO" # Run if NIS master and SecureRPC (or NO). nfsv4_server_enable="NO" # Enable support for NFSv4 nfsv4_server_only="NO" # Set NFS server to NFSv4 only nfscbd_enable="NO" # NFSv4 client side callback daemon diff --git a/libexec/rc/rc.d/Makefile b/libexec/rc/rc.d/Makefile --- a/libexec/rc/rc.d/Makefile +++ b/libexec/rc/rc.d/Makefile @@ -308,7 +308,6 @@ yppasswdd \ ypserv \ ypset \ - ypupdated \ ypxfrd \ nisdomain YPPACKAGE= yp diff --git a/libexec/rc/rc.d/ypupdated b/libexec/rc/rc.d/ypupdated deleted file mode 100755 --- a/libexec/rc/rc.d/ypupdated +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh -# -# - -# PROVIDE: ypupdated -# REQUIRE: rpcbind ypserv -# KEYWORD: shutdown - -. /etc/rc.subr - -name="ypupdated" -rcvar="rpc_ypupdated_enable" - -: ${ypupdated_svcj_options:="net_basic"} - -load_rc_config $name - -command="/usr/sbin/rpc.${name}" -start_precmd="rpc_ypupdated_precmd" - -rpc_ypupdated_precmd() -{ - local _domain - - force_depend rpcbind || return 1 - force_depend ypserv nis_server || return 1 - - _domain=`domainname` - if [ -z "$_domain" ]; then - warn "NIS domainname(1) is not set." - return 1 - fi -} - -run_rc_command "$1" diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -2932,13 +2932,6 @@ these are the flags to pass to the .Xr rpc.yppasswdd 8 daemon. -.It Va rpc_ypupdated_enable -.Pq Vt bool -If set to -.Dq Li YES , -run the -.Nm rpc.ypupdated -daemon at system boot time. .It Va bsnmpd_enable .Pq Vt bool If set to diff --git a/sys/rpc/auth.h b/sys/rpc/auth.h --- a/sys/rpc/auth.h +++ b/sys/rpc/auth.h @@ -246,19 +246,6 @@ extern AUTH *authnone_create(void); /* takes no parameters */ extern AUTH *authtls_create(void); /* takes no parameters */ __END_DECLS -/* - * DES style authentication - * AUTH *authsecdes_create(servername, window, timehost, ckey) - * char *servername; - network name of server - * u_int window; - time to live - * const char *timehost; - optional hostname to sync with - * des_block *ckey; - optional conversation key to use - */ -__BEGIN_DECLS -extern AUTH *authdes_create (char *, u_int, struct sockaddr *, des_block *); -extern AUTH *authdes_seccreate (const char *, const u_int, const char *, - const des_block *); -__END_DECLS __BEGIN_DECLS extern bool_t xdr_opaque_auth (XDR *, struct opaque_auth *); @@ -279,19 +266,6 @@ extern void passwd2des ( char *, char * ); __END_DECLS -/* - * - * These routines interface to the keyserv daemon - * - */ -__BEGIN_DECLS -extern int key_decryptsession(const char *, des_block *); -extern int key_encryptsession(const char *, des_block *); -extern int key_gendes(des_block *); -extern int key_setsecret(const char *); -extern int key_secretkey_is_set(void); -__END_DECLS - /* * Publickey routines. */ diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc --- a/tools/build/mk/OptionalObsoleteFiles.inc +++ b/tools/build/mk/OptionalObsoleteFiles.inc @@ -8862,7 +8862,6 @@ OLD_FILES+=etc/rc.d/yppasswdd OLD_FILES+=etc/rc.d/ypserv OLD_FILES+=etc/rc.d/ypset -OLD_FILES+=etc/rc.d/ypupdated OLD_FILES+=etc/rc.d/ypxfrd OLD_FILES+=usr/bin/ypcat OLD_FILES+=usr/bin/ypchfn @@ -8880,7 +8879,6 @@ OLD_FILES+=usr/libexec/yppwupdate OLD_FILES+=usr/libexec/ypxfr OLD_FILES+=usr/sbin/rpc.yppasswdd -OLD_FILES+=usr/sbin/rpc.ypupdated OLD_FILES+=usr/sbin/rpc.ypxfrd OLD_FILES+=usr/sbin/yp_mkdb OLD_FILES+=usr/sbin/ypbind diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile --- a/usr.sbin/Makefile +++ b/usr.sbin/Makefile @@ -173,7 +173,6 @@ SUBDIR.${MK_NETGRAPH}+= ngctl SUBDIR.${MK_NETGRAPH}+= nghook SUBDIR.${MK_NIS}+= rpc.yppasswdd -SUBDIR.${MK_NIS}+= rpc.ypupdated SUBDIR.${MK_NIS}+= rpc.ypxfrd SUBDIR.${MK_NIS}+= ypbind SUBDIR.${MK_NIS}+= ypldap diff --git a/usr.sbin/rpc.ypupdated/Makefile b/usr.sbin/rpc.ypupdated/Makefile deleted file mode 100644 --- a/usr.sbin/rpc.ypupdated/Makefile +++ /dev/null @@ -1,32 +0,0 @@ -.PATH: ${SRCTOP}/usr.sbin/ypserv ${SRCTOP}/libexec/ypxfr - -PACKAGE=yp -PROG= rpc.ypupdated -MAN= -SRCS= ypupdate_prot_svc.c ypupdate_prot.h ypupdated_main.c \ - yp_error.c update.c ypupdated_server.c \ - yp_dblookup.c yp_dbwrite.c yp_dbdelete.c yp_dbupdate.c - -#CFLAGS+= -DYP -CFLAGS+= -I${SRCTOP}/usr.sbin/ypserv -I. -I${SRCTOP}/libexec/ypxfr - -WARNS?= 1 - -LIBADD= rpcsvc - -CLEANFILES= ypupdate_prot_svc.c ypupdate_prot.h - -RPCDIR= ${SYSROOT:U${DESTDIR}}/usr/include/rpcsvc -RPCGEN= RPCGEN_CPP=${CPP:Q} rpcgen -I -C - -# We need to remove the 'static' keyword from _rpcsvcstate so that -# ypupdated_main.c can see it. -ypupdate_prot_svc.c: ${RPCDIR}/ypupdate_prot.x - rm -f ${.TARGET} - ${RPCGEN} -m ${.ALLSRC} | \ - sed s/"static int _rpcsvcstate"/"int _rpcsvcstate"/g > ${.TARGET} - -ypupdate_prot.h: ${RPCDIR}/ypupdate_prot.x - ${RPCGEN} -h -o ${.TARGET} ${.ALLSRC} - -.include diff --git a/usr.sbin/rpc.ypupdated/Makefile.depend b/usr.sbin/rpc.ypupdated/Makefile.depend deleted file mode 100644 --- a/usr.sbin/rpc.ypupdated/Makefile.depend +++ /dev/null @@ -1,18 +0,0 @@ -# Autogenerated - do NOT edit! - -DIRDEPS = \ - include \ - include/rpc \ - include/rpcsvc \ - include/xlocale \ - lib/${CSU_DIR} \ - lib/libc \ - lib/libcompiler_rt \ - lib/librpcsvc \ - - -.include - -.if ${DEP_RELDIR} == ${_DEP_RELDIR} -# local dependencies - needed for -jN in clean tree -.endif diff --git a/usr.sbin/rpc.ypupdated/update.c b/usr.sbin/rpc.ypupdated/update.c deleted file mode 100644 --- a/usr.sbin/rpc.ypupdated/update.c +++ /dev/null @@ -1,328 +0,0 @@ -/* - * Sun RPC is a product of Sun Microsystems, Inc. and is provided for - * unrestricted use provided that this legend is included on all tape - * media and as a part of the software program in whole or part. Users - * may copy or modify Sun RPC without charge, but are not authorized - * to license or distribute it to anyone else except as part of a product or - * program developed by the user or with the express written consent of - * Sun Microsystems, Inc. - * - * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE - * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR - * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. - * - * Sun RPC is provided with no support and without any obligation on the - * part of Sun Microsystems, Inc. to assist in its use, correction, - * modification or enhancement. - * - * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE - * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC - * OR ANY PART THEREOF. - * - * In no event will Sun Microsystems, Inc. be liable for any lost revenue - * or profits or other special, indirect and consequential damages, even if - * Sun has been advised of the possibility of such damages. - * - * Sun Microsystems, Inc. - * 2550 Garcia Avenue - * Mountain View, California 94043 - */ - -/* - * Copyright (C) 1986, 1989, Sun Microsystems, Inc. - */ - -/* - * Administrative tool to add a new user to the publickey database - */ -#include -#include -#include -#include -#include -#ifdef YP -#include -#include -#include -#include -#endif /* YP */ -#include -#include -#include -#include "ypupdated_extern.h" - -#ifdef YP -#define MAXMAPNAMELEN 256 -#else -#define YPOP_CHANGE 1 /* change, do not add */ -#define YPOP_INSERT 2 /* add, do not change */ -#define YPOP_DELETE 3 /* delete this entry */ -#define YPOP_STORE 4 /* add, or change */ -#endif - -#ifdef YP -static char SHELL[] = "/bin/sh"; -static char YPDBPATH[]="/var/yp"; /* This is defined but not used! */ -static char PKMAP[] = "publickey.byname"; -static char UPDATEFILE[] = "updaters"; -static char PKFILE[] = "/etc/publickey"; -#endif /* YP */ - -#ifdef YP -static int _openchild(char *, FILE **, FILE **); - -/* - * Determine if requester is allowed to update the given map, - * and update it if so. Returns the yp status, which is zero - * if there is no access violation. - */ -int -mapupdate(char *requester, char *mapname, u_int op, u_int keylen, char *key, - u_int datalen, char *data) -{ - char updater[MAXMAPNAMELEN + 40]; - FILE *childargs; - FILE *childrslt; -#ifdef WEXITSTATUS - int status; -#else - union wait status; -#endif - pid_t pid; - u_int yperrno; - - -#ifdef DEBUG - printf("%s %s\n", key, data); -#endif - (void)sprintf(updater, "make -s -f %s/%s %s", YPDBPATH, /* !!! */ - UPDATEFILE, mapname); - pid = _openchild(updater, &childargs, &childrslt); - if (pid < 0) { - return (YPERR_YPERR); - } - - /* - * Write to child - */ - (void)fprintf(childargs, "%s\n", requester); - (void)fprintf(childargs, "%u\n", op); - (void)fprintf(childargs, "%u\n", keylen); - (void)fwrite(key, (int)keylen, 1, childargs); - (void)fprintf(childargs, "\n"); - (void)fprintf(childargs, "%u\n", datalen); - (void)fwrite(data, (int)datalen, 1, childargs); - (void)fprintf(childargs, "\n"); - (void)fclose(childargs); - - /* - * Read from child - */ - (void)fscanf(childrslt, "%d", &yperrno); - (void)fclose(childrslt); - - (void)wait(&status); -#ifdef WEXITSTATUS - if (WEXITSTATUS(status) != 0) -#else - if (status.w_retcode != 0) -#endif - return (YPERR_YPERR); - return (yperrno); -} - -/* - * returns pid, or -1 for failure - */ -static int -_openchild(char *command, FILE **fto, FILE **ffrom) -{ - int i; - pid_t pid; - int pdto[2]; - int pdfrom[2]; - char *com; - struct rlimit rl; - - if (pipe(pdto) < 0) { - goto error1; - } - if (pipe(pdfrom) < 0) { - goto error2; - } - switch (pid = fork()) { - case -1: - goto error3; - - case 0: - /* - * child: read from pdto[0], write into pdfrom[1] - */ - (void)close(0); - (void)dup(pdto[0]); - (void)close(1); - (void)dup(pdfrom[1]); - getrlimit(RLIMIT_NOFILE, &rl); - for (i = rl.rlim_max - 1; i >= 3; i--) { - (void) close(i); - } - com = malloc((unsigned) strlen(command) + 6); - if (com == NULL) { - _exit(~0); - } - (void)sprintf(com, "exec %s", command); - execl(SHELL, basename(SHELL), "-c", com, (char *)NULL); - _exit(~0); - - default: - /* - * parent: write into pdto[1], read from pdfrom[0] - */ - *fto = fdopen(pdto[1], "w"); - (void)close(pdto[0]); - *ffrom = fdopen(pdfrom[0], "r"); - (void)close(pdfrom[1]); - break; - } - return (pid); - - /* - * error cleanup and return - */ -error3: - (void)close(pdfrom[0]); - (void)close(pdfrom[1]); -error2: - (void)close(pdto[0]); - (void)close(pdto[1]); -error1: - return (-1); -} - -static char * -basename(char *path) -{ - char *p; - - p = strrchr(path, '/'); - if (p == NULL) { - return (path); - } else { - return (p + 1); - } -} - -#else /* YP */ - -static int match(char *, char *); - -/* - * Determine if requester is allowed to update the given map, - * and update it if so. Returns the status, which is zero - * if there is no access violation. This function updates - * the local file and then shuts up. - */ -int -localupdate(char *name, char *filename, u_int op, u_int keylen __unused, - char *key, u_int datalen __unused, char *data) -{ - char line[256]; - FILE *rf; - FILE *wf; - char *tmpname; - int err; - - /* - * Check permission - */ - if (strcmp(name, key) != 0) { - return (ERR_ACCESS); - } - if (strcmp(name, "nobody") == 0) { - /* - * Can't change "nobody"s key. - */ - return (ERR_ACCESS); - } - - /* - * Open files - */ - tmpname = malloc(strlen(filename) + 4); - if (tmpname == NULL) { - return (ERR_MALLOC); - } - sprintf(tmpname, "%s.tmp", filename); - rf = fopen(filename, "r"); - if (rf == NULL) { - err = ERR_READ; - goto cleanup; - } - wf = fopen(tmpname, "w"); - if (wf == NULL) { - fclose(rf); - err = ERR_WRITE; - goto cleanup; - } - err = -1; - while (fgets(line, sizeof (line), rf)) { - if (err < 0 && match(line, name)) { - switch (op) { - case YPOP_INSERT: - err = ERR_KEY; - break; - case YPOP_STORE: - case YPOP_CHANGE: - fprintf(wf, "%s %s\n", key, data); - err = 0; - break; - case YPOP_DELETE: - /* do nothing */ - err = 0; - break; - } - } else { - fputs(line, wf); - } - } - if (err < 0) { - switch (op) { - case YPOP_CHANGE: - case YPOP_DELETE: - err = ERR_KEY; - break; - case YPOP_INSERT: - case YPOP_STORE: - err = 0; - fprintf(wf, "%s %s\n", key, data); - break; - } - } - fclose(wf); - fclose(rf); - if (err == 0) { - if (rename(tmpname, filename) < 0) { - err = ERR_DBASE; - goto cleanup; - } - } else { - if (unlink(tmpname) < 0) { - err = ERR_DBASE; - goto cleanup; - } - } -cleanup: - free(tmpname); - return (err); -} - -static int -match(char *line, char *name) -{ - int len; - - len = strlen(name); - return (strncmp(line, name, len) == 0 && - (line[len] == ' ' || line[len] == '\t')); -} -#endif /* !YP */ diff --git a/usr.sbin/rpc.ypupdated/yp_dbdelete.c b/usr.sbin/rpc.ypupdated/yp_dbdelete.c deleted file mode 100644 --- a/usr.sbin/rpc.ypupdated/yp_dbdelete.c +++ /dev/null @@ -1,68 +0,0 @@ -/*- - * SPDX-License-Identifier: BSD-4-Clause - * - * Copyright (c) 1995, 1996 - * Bill Paul . All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Bill Paul. - * 4. Neither the name of the author nor the names of any co-contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "ypxfr_extern.h" - -int -yp_del_record(DB *dbp, DBT *key) -{ - int rval; - - if ((rval = (dbp->del)(dbp,key,0))) { - switch (rval) { - case 1: - return(YP_FALSE); - break; - case -1: - default: - (void)(dbp->close)(dbp); - return(YP_BADDB); - break; - } - } - - return(YP_TRUE); -} diff --git a/usr.sbin/rpc.ypupdated/yp_dbupdate.c b/usr.sbin/rpc.ypupdated/yp_dbupdate.c deleted file mode 100644 --- a/usr.sbin/rpc.ypupdated/yp_dbupdate.c +++ /dev/null @@ -1,147 +0,0 @@ -/*- - * SPDX-License-Identifier: BSD-4-Clause - * - * Copyright (c) 1996 - * Bill Paul . All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Bill Paul. - * 4. Neither the name of the author nor the names of any co-contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "ypxfr_extern.h" -#include "ypupdated_extern.h" - -static int -yp_domake(char *map, char *domain) -{ - int pid; - - switch ((pid = fork())) { - case 0: - execlp(MAP_UPDATE_PATH, MAP_UPDATE, map, domain, (char *)NULL); - yp_error("couldn't exec map update process: %s", - strerror(errno)); - exit(1); - break; - case -1: - yp_error("fork() failed: %s", strerror(errno)); - return(YPERR_YPERR); - break; - default: - children++; - break; - } - - return(0); -} - -int -ypmap_update(char *netname, char *map, unsigned int op, unsigned int keylen, - char *keyval, unsigned int datlen, char *datval) -{ - DB *dbp; - DBT key = { NULL, 0 }, data = { NULL, 0 }; - char *yp_last = "YP_LAST_MODIFIED"; - char yplastbuf[32]; - char *domptr; - int rval = 0; - - if ((domptr = strchr(netname, '@')) == NULL) - return(ERR_ACCESS); - domptr++; - - - dbp = yp_open_db_rw(domptr, map, O_RDWR); - if (dbp == NULL) - return(ERR_DBASE); - - key.data = keyval; - key.size = keylen; - data.data = datval; - data.size = datlen; - - switch (op) { - case YPOP_DELETE: /* delete this entry */ - rval = yp_del_record(dbp, &key); - if (rval == YP_TRUE) - rval = 0; - break; - case YPOP_INSERT: /* add, do not change */ - rval = yp_put_record(dbp, &key, &data, 0); - if (rval == YP_TRUE) - rval = 0; - break; - case YPOP_STORE: /* add, or change */ - rval = yp_put_record(dbp, &key, &data, 1); - if (rval == YP_TRUE) - rval = 0; - break; - case YPOP_CHANGE: /* change, do not add */ - if (yp_get_record(domptr, map, &key, &data, 0) != YP_TRUE) { - rval = ERR_KEY; - break; - } - rval = yp_put_record(dbp, &key, &data, 1); - if (rval == YP_TRUE) - rval = 0; - break; - default: - yp_error("unknown update command: (%d)", op); - } - - if (rval) { - (void)(dbp->close)(dbp); - return(rval); - } - - snprintf(yplastbuf, sizeof(yplastbuf), "%jd", (intmax_t)time(NULL)); - key.data = yp_last; - key.size = strlen(yp_last); - data.data = (char *)&yplastbuf; - data.size = strlen(yplastbuf); - if (yp_put_record(dbp, &key, &data, 1) != YP_TRUE) { - yp_error("failed to update timestamp in %s/%s", domptr, map); - (void)(dbp->close)(dbp); - return(ERR_DBASE); - } - - (void)(dbp->close)(dbp); - return(yp_domake(map, domptr)); -} diff --git a/usr.sbin/rpc.ypupdated/ypupdate b/usr.sbin/rpc.ypupdated/ypupdate deleted file mode 100755 --- a/usr.sbin/rpc.ypupdated/ypupdate +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -# -# This script is invoked by rpc.ypupdatedd to propagate NIS maps -# after the master map databases have been modified. It expects -# to be passed two arguments: the name of the map that was updated -# and the name of the domain where the map resides. -# These are passed to /var/yp/Makefile. -# -# Comment out the LOG=yes line to disable logging. -# -# - -LOG=yes -LOGFILE=/var/yp/ypupdate.log - -umask 077 - -if [ ! -f $LOGFILE ]; -then - /usr/bin/touch $LOGFILE - echo "# Edit /usr/libexec/yppwupdate to disable" >> $LOGFILE - echo "# logging to this file from yppasswdd." >> $LOGFILE - echo -n "# Log started on: " >> $LOGFILE - /bin/date >> $LOGFILE -fi - -if [ ! $LOG ]; -then - cd /var/yp/$2; /usr/bin/make -f ../Makefile $1 2>&1 -else - cd /var/yp/$2; /usr/bin/make -f ../Makefile $1 >> $LOGFILE -fi diff --git a/usr.sbin/rpc.ypupdated/ypupdated_extern.h b/usr.sbin/rpc.ypupdated/ypupdated_extern.h deleted file mode 100644 --- a/usr.sbin/rpc.ypupdated/ypupdated_extern.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - */ - -#include - -#define YPOP_CHANGE 1 /* change, do not add */ -#define YPOP_INSERT 2 /* add, do not change */ -#define YPOP_DELETE 3 /* delete this entry */ -#define YPOP_STORE 4 /* add, or change */ - -#define ERR_ACCESS 1 -#define ERR_MALLOC 2 -#define ERR_READ 3 -#define ERR_WRITE 4 -#define ERR_DBASE 5 -#define ERR_KEY 6 - -#ifndef YPLIBDIR -#define YPLIBDIR "/usr/libexec/" -#endif - -#ifndef MAP_UPPATE -#define MAP_UPDATE "ypupdate" -#endif - -#define MAP_UPDATE_PATH YPLIBDIR MAP_UPDATE - -extern int children; -extern void ypu_prog_1(struct svc_req *, register SVCXPRT *); -extern int localupdate(char *, char *, u_int, u_int, char *, u_int, char *); -extern int ypmap_update(char *, char *, u_int, u_int, char *, u_int, char *); -extern int yp_del_record(DB *, DBT *); diff --git a/usr.sbin/rpc.ypupdated/ypupdated_main.c b/usr.sbin/rpc.ypupdated/ypupdated_main.c deleted file mode 100644 --- a/usr.sbin/rpc.ypupdated/ypupdated_main.c +++ /dev/null @@ -1,287 +0,0 @@ -/*- - * SPDX-License-Identifier: BSD-4-Clause - * - * Copyright (c) 1995, 1996 - * Bill Paul . All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Bill Paul. - * 4. Neither the name of the author nor the names of any co-contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include "ypupdate_prot.h" -#include -#include /* getenv, exit */ -#include /* for pmap_unset */ -#include -#include /* strcmp */ -#include -#ifdef __cplusplus -#include /* getdtablesize, open */ -#endif /* __cplusplus */ -#include -#include -#include -#include -#include -#include -#include -#include -#include "ypupdated_extern.h" -#include "yp_extern.h" - -#ifndef SIG_PF -#define SIG_PF void(*)(int) -#endif - -#ifdef DEBUG -#define RPC_SVC_FG -#endif - -#define _RPCSVC_CLOSEDOWN 120 -int _rpcpmstart; /* Started by a port monitor ? */ -static int _rpcfdtype; - /* Whether Stream or Datagram ? */ - /* States a server can be in wrt request */ - -#define _IDLE 0 -#define _SERVED 1 -#define _SERVING 2 - -extern int _rpcsvcstate; /* Set when a request is serviced */ - -int debug; - -char *progname = "rpc.ypupdated"; -char *yp_dir = "/var/yp/"; - -static void -_msgout(char* msg) -{ -#ifdef RPC_SVC_FG - if (_rpcpmstart) - syslog(LOG_ERR, "%s", msg); - else - warnx("%s", msg); -#else - syslog(LOG_ERR, "%s", msg); -#endif -} - -static void -closedown(int sig) -{ - if (_rpcsvcstate == _IDLE) { - extern fd_set svc_fdset; - static int size; - int i, openfd; - - if (_rpcfdtype == SOCK_DGRAM) - exit(0); - if (size == 0) { - size = getdtablesize(); - } - for (i = 0, openfd = 0; i < size && openfd < 2; i++) - if (FD_ISSET(i, &svc_fdset)) - openfd++; - if (openfd <= 1) - exit(0); - } - if (_rpcsvcstate == _SERVED) - _rpcsvcstate = _IDLE; - - (void) signal(SIGALRM, (SIG_PF) closedown); - (void) alarm(_RPCSVC_CLOSEDOWN/2); -} - -static void -ypupdated_svc_run(void) -{ -#ifdef FD_SETSIZE - fd_set readfds; -#else - int readfds; -#endif /* def FD_SETSIZE */ - extern int forked; - int pid; - int fd_setsize = _rpc_dtablesize(); - - /* Establish the identity of the parent ypupdated process. */ - pid = getpid(); - - for (;;) { -#ifdef FD_SETSIZE - readfds = svc_fdset; -#else - readfds = svc_fds; -#endif /* def FD_SETSIZE */ - switch (select(fd_setsize, &readfds, NULL, NULL, - (struct timeval *)0)) { - case -1: - if (errno == EINTR) { - continue; - } - warn("svc_run: - select failed"); - return; - case 0: - continue; - default: - svc_getreqset(&readfds); - if (forked && pid != getpid()) - exit(0); - } - } -} - -static void -reaper(int sig) -{ - int status; - - if (sig == SIGHUP) { -#ifdef foo - load_securenets(); -#endif - return; - } - - if (sig == SIGCHLD) { - while (wait3(&status, WNOHANG, NULL) > 0) - children--; - } else { - (void) pmap_unset(YPU_PROG, YPU_VERS); - exit(0); - } -} - -void -usage(void) -{ - fprintf(stderr, "rpc.ypupdatedd [-p path]\n"); - exit(0); -} - -int -main(int argc, char *argv[]) -{ - register SVCXPRT *transp = NULL; - int sock; - int proto = 0; - struct sockaddr_in saddr; - int asize = sizeof (saddr); - int ch; - - while ((ch = getopt(argc, argv, "p:h")) != -1) { - switch (ch) { - case 'p': - yp_dir = optarg; - break; - default: - usage(); - break; - } - } -#ifdef foo - load_securenets(); -#endif - - if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1) { - yp_error("failed to register AUTH_DES flavor"); - exit(1); - } - - if (getsockname(0, (struct sockaddr *)&saddr, &asize) == 0) { - int ssize = sizeof (int); - - if (saddr.sin_family != AF_INET) - exit(1); - if (getsockopt(0, SOL_SOCKET, SO_TYPE, - (char *)&_rpcfdtype, &ssize) == -1) - exit(1); - sock = 0; - _rpcpmstart = 1; - proto = 0; - openlog("rpc.ypupdatedd", LOG_PID, LOG_DAEMON); - } else { -#ifndef RPC_SVC_FG - if (daemon(0,0)) { - err(1, "cannot fork"); - } - openlog("rpc.ypupdated", LOG_PID, LOG_DAEMON); -#endif - sock = RPC_ANYSOCK; - (void) pmap_unset(YPU_PROG, YPU_VERS); - } - - if ((_rpcfdtype == 0) || (_rpcfdtype == SOCK_DGRAM)) { - transp = svcudp_create(sock); - if (transp == NULL) { - _msgout("cannot create udp service."); - exit(1); - } - if (!_rpcpmstart) - proto = IPPROTO_UDP; - if (!svc_register(transp, YPU_PROG, YPU_VERS, ypu_prog_1, proto)) { - _msgout("unable to register (YPU_PROG, YPU_VERS, udp)."); - exit(1); - } - } - - if ((_rpcfdtype == 0) || (_rpcfdtype == SOCK_STREAM)) { - transp = svctcp_create(sock, 0, 0); - if (transp == NULL) { - _msgout("cannot create tcp service."); - exit(1); - } - if (!_rpcpmstart) - proto = IPPROTO_TCP; - if (!svc_register(transp, YPU_PROG, YPU_VERS, ypu_prog_1, proto)) { - _msgout("unable to register (YPU_PROG, YPU_VERS, tcp)."); - exit(1); - } - } - - if (transp == (SVCXPRT *)NULL) { - _msgout("could not create a handle"); - exit(1); - } - if (_rpcpmstart) { - (void) signal(SIGALRM, (SIG_PF) closedown); - (void) alarm(_RPCSVC_CLOSEDOWN/2); - } - - (void) signal(SIGPIPE, SIG_IGN); - (void) signal(SIGCHLD, (SIG_PF) reaper); - (void) signal(SIGTERM, (SIG_PF) reaper); - (void) signal(SIGINT, (SIG_PF) reaper); - (void) signal(SIGHUP, (SIG_PF) reaper); - - ypupdated_svc_run(); - _msgout("svc_run returned"); - exit(1); - /* NOTREACHED */ -} diff --git a/usr.sbin/rpc.ypupdated/ypupdated_server.c b/usr.sbin/rpc.ypupdated/ypupdated_server.c deleted file mode 100644 --- a/usr.sbin/rpc.ypupdated/ypupdated_server.c +++ /dev/null @@ -1,227 +0,0 @@ -/*- - * SPDX-License-Identifier: BSD-4-Clause - * - * Copyright (c) 1995, 1996 - * Bill Paul . All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Bill Paul. - * 4. Neither the name of the author nor the names of any co-contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * ypupdate server implementation - * - * Written by Bill Paul - * Center for Telecommunications Research - * Columbia University, New York City - */ - -#include -#include -#include -#include -#include -#include -#include "ypupdate_prot.h" -#include "ypupdated_extern.h" -#include "yp_extern.h" -#include "ypxfr_extern.h" - -int children = 0; -int forked = 0; - -/* - * Try to avoid spoofing: if a client chooses to use a very large - * window and then tries a bunch of randomly chosen encrypted timestamps, - * there's a chance he might stumble onto a valid combination. - * We therefore reject any RPCs with a window size larger than a preset - * value. - */ -#ifndef WINDOW -#define WINDOW (60*60) -#endif - -static enum auth_stat -yp_checkauth(struct svc_req *svcreq) -{ - struct authdes_cred *des_cred; - - switch (svcreq->rq_cred.oa_flavor) { - case AUTH_DES: - des_cred = (struct authdes_cred *) svcreq->rq_clntcred; - if (des_cred->adc_fullname.window > WINDOW) { - yp_error("warning: client-specified window size \ -was too large -- possible spoof attempt"); - return(AUTH_BADCRED); - } - return(AUTH_OK); - break; - case AUTH_UNIX: - case AUTH_NONE: - yp_error("warning: client didn't use DES authentication"); - return(AUTH_TOOWEAK); - break; - default: - yp_error("client used unknown auth flavor"); - return(AUTH_REJECTEDCRED); - break; - } -} - -unsigned int * -ypu_change_1_svc(struct ypupdate_args *args, struct svc_req *svcreq) -{ - struct authdes_cred *des_cred; - static int res; - char *netname; - enum auth_stat astat; - - res = 0; - - astat = yp_checkauth(svcreq); - - if (astat != AUTH_OK) { - svcerr_auth(svcreq->rq_xprt, astat); - return(&res); - } - - des_cred = (struct authdes_cred *) svcreq->rq_clntcred; - netname = des_cred->adc_fullname.name; - - res = localupdate(netname, "/etc/publickey", YPOP_CHANGE, - args->key.yp_buf_len, args->key.yp_buf_val, - args->datum.yp_buf_len, args->datum.yp_buf_val); - - if (res) - return (&res); - - res = ypmap_update(netname, args->mapname, YPOP_CHANGE, - args->key.yp_buf_len, args->key.yp_buf_val, - args->datum.yp_buf_len, args->datum.yp_buf_val); - - return (&res); -} - -unsigned int * -ypu_insert_1_svc(struct ypupdate_args *args, struct svc_req *svcreq) -{ - struct authdes_cred *des_cred; - static int res; - char *netname; - enum auth_stat astat; - - res = 0; - - astat = yp_checkauth(svcreq); - - if (astat != AUTH_OK) { - svcerr_auth(svcreq->rq_xprt, astat); - return(&res); - } - - des_cred = (struct authdes_cred *) svcreq->rq_clntcred; - netname = des_cred->adc_fullname.name; - - res = localupdate(netname, "/etc/publickey", YPOP_INSERT, - args->key.yp_buf_len, args->key.yp_buf_val, - args->datum.yp_buf_len, args->datum.yp_buf_val); - - if (res) - return (&res); - - res = ypmap_update(netname, args->mapname, YPOP_INSERT, - args->key.yp_buf_len, args->key.yp_buf_val, - args->datum.yp_buf_len, args->datum.yp_buf_val); - - return (&res); -} - -unsigned int * -ypu_delete_1_svc(struct ypdelete_args *args, struct svc_req *svcreq) -{ - struct authdes_cred *des_cred; - static int res; - char *netname; - enum auth_stat astat; - - res = 0; - - astat = yp_checkauth(svcreq); - - if (astat != AUTH_OK) { - svcerr_auth(svcreq->rq_xprt, astat); - return(&res); - } - - des_cred = (struct authdes_cred *) svcreq->rq_clntcred; - netname = des_cred->adc_fullname.name; - - res = localupdate(netname, "/etc/publickey", YPOP_DELETE, - args->key.yp_buf_len, args->key.yp_buf_val, - 0, NULL); - - if (res) - return (&res); - - res = ypmap_update(netname, args->mapname, YPOP_DELETE, - args->key.yp_buf_len, args->key.yp_buf_val, - 0, NULL); - - return (&res); -} - -unsigned int * -ypu_store_1_svc(struct ypupdate_args *args, struct svc_req *svcreq) -{ - struct authdes_cred *des_cred; - static int res; - char *netname; - enum auth_stat astat; - - res = 0; - - astat = yp_checkauth(svcreq); - - if (astat != AUTH_OK) { - svcerr_auth(svcreq->rq_xprt, astat); - return(&res); - } - - des_cred = (struct authdes_cred *) svcreq->rq_clntcred; - netname = des_cred->adc_fullname.name; - - res = localupdate(netname, "/etc/publickey", YPOP_STORE, - args->key.yp_buf_len, args->key.yp_buf_val, - args->datum.yp_buf_len, args->datum.yp_buf_val); - - if (res) - return (&res); - - res = ypmap_update(netname, args->mapname, YPOP_STORE, - args->key.yp_buf_len, args->key.yp_buf_val, - args->datum.yp_buf_len, args->datum.yp_buf_val); - - return (&res); -}