ref: 9fd0f89856bfb42acc3343a98025edac6101d24c
dir: /sys/src/cmd/auth/keyfs.c/
/* * keyfs */ #include <u.h> #include <libc.h> #include <ctype.h> #include <fcall.h> #include <bio.h> #include <libsec.h> #include <authsrv.h> #include "authcmdlib.h" #pragma varargck type "W" char* Authkey authkey; int keydbaes; uchar zeros[16]; typedef struct Fid Fid; typedef struct User User; enum { Qroot, Quser, Qkey, Qaeskey, Qpakhash, Qsecret, Qlog, Qstatus, Qexpire, Qwarnings, Qmax, Nuser = 512, MAXBAD = 10, /* max # of bad attempts before disabling the account */ /* file must be randomly addressible, so names have fixed length */ Namelen = ANAMELEN, }; enum { Sok, Sdisabled, Smax, }; struct Fid { int fid; ulong qtype; User *user; int busy; Fid *next; }; struct User { char *name; Authkey key; char secret[SECRETLEN]; ulong expire; /* 0 == never */ uchar status; ulong bad; /* # of consecutive bad authentication attempts */ int ref; char removed; uchar warnings; ulong purgatory; /* time purgatory ends */ ulong uniq; User *link; }; char *qinfo[Qmax] = { [Qroot] "keys", [Quser] ".", [Qkey] "key", [Qaeskey] "aeskey", [Qpakhash] "pakhash", [Qsecret] "secret", [Qlog] "log", [Qexpire] "expire", [Qstatus] "status", [Qwarnings] "warnings", }; char *status[Smax] = { [Sok] "ok", [Sdisabled] "disabled", }; Fid *fids; User *users[Nuser]; char *userkeys; int nuser; ulong uniq = 1; Fcall rhdr, thdr; int usepass; int readonly; char *warnarg; uchar mdata[8192 + IOHDRSZ]; int messagesize = sizeof mdata; int readusers(void); ulong hash(char*); Fid *findfid(int); User *finduser(char*); User *installuser(char*); int removeuser(User*); void insertuser(User*); void writeusers(void); void io(int, int); void *emalloc(ulong); char *estrdup(char*); Qid mkqid(User*, ulong); int dostat(User*, ulong, void*, int); int newkeys(void); void warning(void); int weirdfmt(Fmt *f); char *Auth(Fid*), *Attach(Fid*), *Version(Fid*), *Flush(Fid*), *Walk(Fid*), *Open(Fid*), *Create(Fid*), *Read(Fid *), *Write(Fid*), *Clunk(Fid*), *Remove(Fid *), *Stat(Fid*), *Wstat(Fid*); char *(*fcalls[])(Fid*) = { [Tattach] Attach, [Tauth] Auth, [Tclunk] Clunk, [Tcreate] Create, [Tflush] Flush, [Topen] Open, [Tread] Read, [Tremove] Remove, [Tstat] Stat, [Tversion] Version, [Twalk] Walk, [Twrite] Write, [Twstat] Wstat, }; static void usage(void) { fprint(2, "usage: %s [-p] [-r] [-m mtpt] [-w warn] [keyfile]\n", argv0); exits("usage"); } static int haveaeskey(void) { return memcmp(authkey.aes, zeros, 16) != 0; } void main(int argc, char *argv[]) { char *mntpt; int p[2]; fmtinstall('W', weirdfmt); mntpt = "/mnt/keys"; ARGBEGIN{ case 'm': mntpt = EARGF(usage()); break; case 'p': usepass = 1; break; case 'w': warnarg = EARGF(usage()); break; case 'r': readonly = 1; break; default: usage(); break; }ARGEND argv0 = "keyfs"; userkeys = "/adm/keys"; if(argc > 1) usage(); if(argc == 1) userkeys = argv[0]; if(pipe(p) < 0) error("can't make pipe: %r"); private(); if(usepass) getpass(&authkey, nil, 0, 0); else { if(!getauthkey(&authkey)) fprint(2, "keyfs: warning: can't read NVRAM\n"); } keydbaes = 0; if(!newkeys() || !readusers()){ if(!keydbaes) keydbaes = haveaeskey(); else if(!haveaeskey()){ fprint(2, "keyfs: no aes key in NVRAM\n"); getpass(&authkey, nil, 0, 0); readusers(); } } switch(rfork(RFPROC|RFNAMEG|RFNOTEG|RFNOWAIT|RFENVG|RFFDG)){ case 0: close(p[0]); io(p[1], p[1]); exits(0); case -1: error("fork"); default: close(p[1]); if(mount(p[0], -1, mntpt, MREPL|MCREATE, "") == -1) error("can't mount: %r"); exits(0); } } char * Flush(Fid *f) { USED(f); return 0; } char * Auth(Fid *) { return "keyfs: authentication not required"; } char * Attach(Fid *f) { if(f->busy) Clunk(f); f->user = nil; f->qtype = Qroot; f->busy = 1; thdr.qid = mkqid(f->user, f->qtype); return 0; } char* Version(Fid*) { Fid *f; for(f = fids; f; f = f->next) if(f->busy) Clunk(f); if(rhdr.msize < 256) return "message size too small"; if(rhdr.msize > sizeof mdata) thdr.msize = sizeof mdata; else thdr.msize = rhdr.msize; messagesize = thdr.msize; thdr.version = "9P2000"; if(strncmp(rhdr.version, "9P", 2) != 0) thdr.version = "unknown"; return 0; } char * Walk(Fid *f) { char *name, *err; int i, j, max; Fid *nf; ulong qtype; User *user; if(!f->busy) return "walk of unused fid"; nf = nil; qtype = f->qtype; user = f->user; if(rhdr.fid != rhdr.newfid){ nf = findfid(rhdr.newfid); if(nf->busy) return "fid in use"; f = nf; /* walk f */ } err = nil; i = 0; if(rhdr.nwname > 0){ for(; i<rhdr.nwname; i++){ if(i >= MAXWELEM){ err = "too many path name elements"; break; } name = rhdr.wname[i]; switch(qtype){ case Qroot: if(strcmp(name, "..") == 0) goto Accept; user = finduser(name); if(user == nil) goto Out; qtype = Quser; Accept: thdr.wqid[i] = mkqid(user, qtype); break; case Quser: if(strcmp(name, "..") == 0) { qtype = Qroot; user = nil; goto Accept; } max = Qmax; for(j = Quser + 1; j < Qmax; j++) if(strcmp(name, qinfo[j]) == 0){ qtype = j; break; } if(j < max) goto Accept; goto Out; default: err = "file is not a directory"; goto Out; } } Out: if(i < rhdr.nwname && err == nil) err = "file not found"; } if(err != nil){ return err; } /* if we cloned and then completed the walk, update new fid */ if(rhdr.fid != rhdr.newfid && i == rhdr.nwname){ nf->busy = 1; nf->qtype = qtype; nf->user = user; if(user != nil) user->ref++; }else if(nf == nil && rhdr.nwname > 0){ /* walk without clone (rare) */ Clunk(f); f->busy = 1; f->qtype = qtype; f->user = user; if(user != nil) user->ref++; } thdr.nwqid = i; return 0; } char * Clunk(Fid *f) { f->busy = 0; if(f->user != nil && --f->user->ref == 0 && f->user->removed) { free(f->user->name); free(f->user); } f->user = nil; return nil; } char * Open(Fid *f) { int mode; if(!f->busy) return "open of unused fid"; mode = rhdr.mode; if(f->qtype == Quser && (mode & (OWRITE|OTRUNC))) return "user already exists"; if((f->qtype == Qaeskey || f->qtype == Qpakhash) && !keydbaes) return "keyfile not in aes format"; thdr.qid = mkqid(f->user, f->qtype); thdr.iounit = messagesize - IOHDRSZ; return 0; } char * Create(Fid *f) { char *name; long perm; if(!f->busy) return "create of unused fid"; if(readonly) return "mounted read-only"; name = rhdr.name; if(f->user != nil){ return "permission denied"; }else{ perm = rhdr.perm; if(!(perm & DMDIR)) return "permission denied"; if(strcmp(name, "") == 0) return "empty file name"; if(strlen(name) >= Namelen) return "file name too long"; if(finduser(name) != nil) return "user already exists"; f->user = installuser(name); f->user->ref++; f->qtype = Quser; } thdr.qid = mkqid(f->user, f->qtype); thdr.iounit = messagesize - IOHDRSZ; writeusers(); return 0; } char * Read(Fid *f) { User *u; char *data; ulong off, n, m; int i, j, max; if(!f->busy) return "read of unused fid"; n = rhdr.count; off = rhdr.offset; thdr.count = 0; data = thdr.data; switch(f->qtype){ case Qroot: j = 0; for(i = 0; i < Nuser; i++) for(u = users[i]; u != nil; j += m, u = u->link){ m = dostat(u, Quser, data, n); if(m <= BIT16SZ) break; if(j < off) continue; data += m; n -= m; } thdr.count = data - thdr.data; return 0; case Quser: max = Qmax; max -= Quser + 1; j = 0; for(i = 0; i < max; j += m, i++){ m = dostat(f->user, i + Quser + 1, data, n); if(m <= BIT16SZ) break; if(j < off) continue; data += m; n -= m; } thdr.count = data - thdr.data; return 0; case Qkey: case Qaeskey: case Qpakhash: case Qsecret: if(f->user->status != Sok) return "user disabled"; if(f->user->purgatory > (ulong)time(0)) return "user in purgatory"; if(f->user->expire != 0 && f->user->expire < (ulong)time(0)) return "user expired"; m = 0; switch(f->qtype){ case Qkey: data = (char*)f->user->key.des; m = DESKEYLEN; break; case Qaeskey: data = (char*)f->user->key.aes; m = AESKEYLEN; break; case Qpakhash: data = (char*)f->user->key.pakhash; m = PAKHASHLEN; break; case Qsecret: data = f->user->secret; Readstr: m = strlen(data); break; } if(off >= m) n = 0; else { data += off; m -= off; if(n > m) n = m; } if(data != thdr.data) memmove(thdr.data, data, n); thdr.count = n; return 0; case Qstatus: if(f->user->status == Sok && f->user->expire && f->user->expire < (ulong)time(0)) sprint(data, "expired\n"); else sprint(data, "%s\n", status[f->user->status]); goto Readstr; case Qexpire: if(!f->user->expire) strcpy(data, "never\n"); else sprint(data, "%lud\n", f->user->expire); goto Readstr; case Qlog: sprint(data, "%lud\n", f->user->bad); goto Readstr; case Qwarnings: sprint(data, "%ud\n", f->user->warnings); goto Readstr; default: return "permission denied: unknown qid"; } } char * Write(Fid *f) { char *data, *p; ulong n, expire; int i; if(!f->busy) return "permission denied"; if(readonly) return "mounted read-only"; n = rhdr.count; data = rhdr.data; switch(f->qtype){ case Qkey: if(n != DESKEYLEN) return "garbled write data"; memmove(f->user->key.des, data, n); thdr.count = n; break; case Qaeskey: if(n != AESKEYLEN) return "garbled write data"; memmove(f->user->key.aes, data, n); authpak_hash(&f->user->key, f->user->name); thdr.count = n; break; case Qsecret: if(n >= SECRETLEN) return "garbled write data"; memmove(f->user->secret, data, n); f->user->secret[n] = '\0'; thdr.count = n; break; case Qstatus: data[n] = '\0'; if(p = strchr(data, '\n')) *p = '\0'; for(i = 0; i < Smax; i++) if(strcmp(data, status[i]) == 0){ f->user->status = i; break; } if(i == Smax) return "unknown status"; f->user->bad = 0; thdr.count = n; break; case Qexpire: data[n] = '\0'; if(p = strchr(data, '\n')) *p = '\0'; else p = &data[n]; if(strcmp(data, "never") == 0) expire = 0; else{ expire = strtoul(data, &data, 10); if(data != p) return "bad expiration date"; } f->user->expire = expire; f->user->warnings = 0; thdr.count = n; break; case Qlog: data[n] = '\0'; if(strcmp(data, "good") == 0) f->user->bad = 0; else f->user->bad++; if(f->user->bad && ((f->user->bad)%MAXBAD) == 0) f->user->purgatory = (ulong)time(0) + f->user->bad; return 0; case Qwarnings: data[n] = '\0'; f->user->warnings = strtoul(data, nil, 10); thdr.count = n; break; case Qroot: case Quser: default: return "permission denied"; } writeusers(); return 0; } char * Remove(Fid *f) { if(!f->busy) return "permission denied"; if(readonly){ Clunk(f); return "mounted read-only"; } if(f->qtype == Qwarnings) f->user->warnings = 0; else if(f->qtype == Quser) removeuser(f->user); else { Clunk(f); return "permission denied"; } Clunk(f); writeusers(); return 0; } char * Stat(Fid *f) { static uchar statbuf[1024]; if(!f->busy) return "stat on unattached fid"; thdr.nstat = dostat(f->user, f->qtype, statbuf, sizeof statbuf); if(thdr.nstat <= BIT16SZ) return "stat buffer too small"; thdr.stat = statbuf; return 0; } char * Wstat(Fid *f) { Dir d; int n; char buf[1024]; if(!f->busy || f->qtype != Quser) return "permission denied"; if(readonly) return "mounted read-only"; if(rhdr.nstat > sizeof buf) return "wstat buffer too big"; if(convM2D(rhdr.stat, rhdr.nstat, &d, buf) == 0) return "bad stat buffer"; n = strlen(d.name); if(n == 0 || n >= Namelen) return "bad user name"; if(finduser(d.name)) return "user already exists"; if(!removeuser(f->user)) return "user previously removed"; free(f->user->name); f->user->name = estrdup(d.name); insertuser(f->user); writeusers(); return 0; } Qid mkqid(User *u, ulong qtype) { Qid q; q.vers = 0; q.path = qtype; if(u) q.path |= u->uniq * 0x100; if(qtype == Quser || qtype == Qroot) q.type = QTDIR; else q.type = QTFILE; return q; } int dostat(User *user, ulong qtype, void *p, int n) { Dir d; if(qtype == Quser) d.name = user->name; else d.name = qinfo[qtype]; d.uid = d.gid = d.muid = "auth"; d.qid = mkqid(user, qtype); if(d.qid.type & QTDIR) d.mode = 0777|DMDIR; else d.mode = 0666; d.atime = d.mtime = time(0); d.length = 0; return convD2M(&d, p, n); } void writeusers(void) { int keydblen, keydboff; int fd, i, nu; User *u; uchar *p, *buf; ulong expire; if(readonly){ fprint(2, "writeusers called while read-only; shouldn't happen\n"); return; } /* what format to use */ keydblen = KEYDBLEN; keydboff = KEYDBOFF; if(keydbaes){ keydblen += AESKEYLEN; keydboff = 8+16; /* segnature[8] + iv[16] */ } /* count users */ nu = 0; for(i = 0; i < Nuser; i++) for(u = users[i]; u != nil; u = u->link) nu++; /* pack into buffer */ buf = emalloc(keydboff + nu*keydblen); p = buf; genrandom(p, keydboff); p += keydboff; for(i = 0; i < Nuser; i++) for(u = users[i]; u != nil; u = u->link){ strncpy((char*)p, u->name, Namelen); p += Namelen; memmove(p, u->key.des, DESKEYLEN); p += DESKEYLEN; *p++ = u->status; *p++ = u->warnings; expire = u->expire; *p++ = expire; *p++ = expire >> 8; *p++ = expire >> 16; *p++ = expire >> 24; memmove(p, u->secret, SECRETLEN); p += SECRETLEN; if(keydbaes){ memmove(p, u->key.aes, AESKEYLEN); p += AESKEYLEN; } } /* encrypt */ if(keydbaes){ AESstate s; memmove(buf, "AES KEYS", 8); setupAESstate(&s, authkey.aes, AESKEYLEN, zeros); aesCBCencrypt(buf+8, (p - (buf+8)), &s); } else { uchar key[8]; DESstate s; des56to64((uchar*)authkey.des, key); setupDESstate(&s, key, zeros); desCBCencrypt(buf, p - buf, &s); } /* write file */ fd = create(userkeys, OWRITE, 0660); if(fd < 0){ fprint(2, "keyfs: can't write %s: %r\n", userkeys); free(buf); return; } if(write(fd, buf, p - buf) != (p - buf)) fprint(2, "keyfs: can't write %s: %r\n", userkeys); close(fd); free(buf); newkeys(); } int weirdfmt(Fmt *f) { char *s, buf[ANAMELEN*4 + 1]; int i, j, n; Rune r; s = va_arg(f->args, char*); j = 0; for(i = 0; i < ANAMELEN; i += n){ n = chartorune(&r, s + i); if(r == Runeerror) j += sprint(buf+j, "[%.2x]", buf[i]); else if(isascii(r) && iscntrl(r)) j += sprint(buf+j, "[%.2x]", r); else if(r == ' ' || r == '/') j += sprint(buf+j, "[%c]", r); else j += sprint(buf+j, "%C", r); } return fmtstrcpy(f, buf); } int userok(char *user, int nu) { int i, n, rv; Rune r; char buf[ANAMELEN+1]; memset(buf, 0, sizeof buf); memmove(buf, user, ANAMELEN); if(buf[ANAMELEN-1] != 0){ fprint(2, "keyfs: %d: no termination: %W\n", nu, buf); return -1; } rv = 0; for(i = 0; buf[i]; i += n){ n = chartorune(&r, buf+i); if(r == Runeerror){ // fprint(2, "keyfs: name %W bad rune byte %d\n", buf, i); rv = -1; } else if(isascii(r) && iscntrl(r) || r == ' ' || r == '/'){ // fprint(2, "keyfs: name %W bad char %C\n", buf, r); rv = -1; } } if(i == 0){ fprint(2, "keyfs: %d: nil name\n", nu); return -1; } if(rv == -1) fprint(2, "keyfs: %d: bad syntax: %W\n", nu, buf); return rv; } int readusers(void) { int keydblen, keydboff; int fd, i, n, nu; uchar *p, *buf, *ep; User *u; Dir *d; /* read file into an array */ fd = open(userkeys, OREAD); if(fd < 0){ fprint(2, "keyfs: can't read %s: %r\n", userkeys); return 0; } d = dirfstat(fd); if(d == nil){ close(fd); return 0; } buf = emalloc(d->length); n = readn(fd, buf, d->length); close(fd); free(d); if(n != d->length){ free(buf); return 0; } keydblen = KEYDBLEN; keydboff = KEYDBOFF; keydbaes = n > 24 && memcmp(buf, "AES KEYS", 8) == 0; /* decrypt */ if(keydbaes){ AESstate s; /* make sure we have AES encryption key */ if(!haveaeskey()){ free(buf); return 0; } keydblen += AESKEYLEN; keydboff = 8+16; /* signature[8] + iv[16] */ setupAESstate(&s, authkey.aes, AESKEYLEN, zeros); aesCBCdecrypt(buf+8, n-8, &s); } else { uchar key[8]; DESstate s; des56to64((uchar*)authkey.des, key); setupDESstate(&s, key, zeros); desCBCdecrypt(buf, n, &s); } /* unpack */ nu = 0; n = (n - keydboff) / keydblen; ep = buf + keydboff; for(i = 0; i < n; ep += keydblen, i++){ if(userok((char*)ep, i) < 0) continue; u = finduser((char*)ep); if(u == nil) u = installuser((char*)ep); memmove(u->key.des, ep + Namelen, DESKEYLEN); p = ep + Namelen + DESKEYLEN; u->status = *p++; u->warnings = *p++; if(u->status >= Smax) fprint(2, "keyfs: warning: bad status in key file\n"); u->expire = p[0] + (p[1]<<8) + (p[2]<<16) + (p[3]<<24); p += 4; memmove(u->secret, p, SECRETLEN); u->secret[SECRETLEN-1] = 0; p += SECRETLEN; if(keydbaes){ memmove(u->key.aes, p, AESKEYLEN); authpak_hash(&u->key, u->name); } nu++; } free(buf); print("%d keys read in %s format\n", nu, keydbaes ? "AES" : "DES"); return 1; } User * installuser(char *name) { User *u; int h; h = hash(name); u = emalloc(sizeof *u); u->name = estrdup(name); u->removed = 0; u->ref = 0; u->purgatory = 0; u->expire = 0; u->status = Sok; u->bad = 0; u->warnings = 0; u->uniq = uniq++; u->link = users[h]; users[h] = u; return u; } User * finduser(char *name) { User *u; for(u = users[hash(name)]; u != nil; u = u->link) if(strcmp(name, u->name) == 0) return u; return nil; } int removeuser(User *user) { User *u, **last; char *name; user->removed = 1; name = user->name; last = &users[hash(name)]; for(u = *last; u != nil; u = *last){ if(strcmp(name, u->name) == 0){ *last = u->link; return 1; } last = &u->link; } return 0; } void insertuser(User *user) { int h; user->removed = 0; h = hash(user->name); user->link = users[h]; users[h] = user; } ulong hash(char *s) { ulong h; h = 0; while(*s) h = (h << 1) ^ *s++; return h % Nuser; } Fid * findfid(int fid) { Fid *f, *ff; ff = nil; for(f = fids; f != nil; f = f->next) if(f->fid == fid) return f; else if(!ff && !f->busy) ff = f; if(ff != nil){ ff->fid = fid; return ff; } f = emalloc(sizeof *f); f->fid = fid; f->busy = 0; f->user = nil; f->next = fids; fids = f; return f; } void io(int in, int out) { char *err; int n; ulong now, lastwarning; /* after restart, let the system settle for 5 mins before warning */ lastwarning = (ulong)time(0) - 24*60*60 + 5*60; while((n = read9pmsg(in, mdata, messagesize)) != 0){ if(n < 0) error("mount read: %r"); if(convM2S(mdata, n, &rhdr) != n) error("convM2S format error: %r"); if(newkeys()) readusers(); thdr.data = (char*)mdata + IOHDRSZ; thdr.fid = rhdr.fid; if(!fcalls[rhdr.type]) err = "fcall request"; else err = (*fcalls[rhdr.type])(findfid(rhdr.fid)); thdr.tag = rhdr.tag; thdr.type = rhdr.type+1; if(err){ thdr.type = Rerror; thdr.ename = err; } n = convS2M(&thdr, mdata, messagesize); if(write(out, mdata, n) != n) error("mount write"); now = time(0); if(warnarg && (long)(now - lastwarning) > 24*60*60){ syslog(0, "auth", "keyfs starting warnings: %lux %lux", now, lastwarning); warning(); lastwarning = now; } } } int newkeys(void) { Dir *d; static ulong ftime; d = dirstat(userkeys); if(d == nil) return 0; if(d->mtime > ftime){ ftime = d->mtime; free(d); return 1; } free(d); return 0; } void * emalloc(ulong n) { void *p; if((p = malloc(n)) != nil){ memset(p, 0, n); return p; } error("out of memory"); return nil; /* not reached */ } char * estrdup(char *s) { char *d; int n; n = strlen(s)+1; d = emalloc(n); memmove(d, s, n); return d; } void warning(void) { int i; char buf[64]; snprint(buf, sizeof buf, "-%s", warnarg); switch(rfork(RFPROC|RFNAMEG|RFNOTEG|RFNOWAIT|RFENVG|RFFDG)){ case 0: i = open("/sys/log/auth", OWRITE); if(i >= 0){ dup(i, 2); seek(2, 0, 2); close(i); } execl("/bin/auth/warning", "warning", warnarg, nil); error("can't exec warning"); } }