xref: /dragonfly/usr.sbin/keyserv/keyserv.c (revision 1de703da) 
1 /*
2  * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
3  * unrestricted use provided that this legend is included on all tape
4  * media and as a part of the software program in whole or part.  Users
5  * may copy or modify Sun RPC without charge, but are not authorized
6  * to license or distribute it to anyone else except as part of a product or
7  * program developed by the user.
8  *
9  * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
10  * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
11  * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
12  *
13  * Sun RPC is provided with no support and without any obligation on the
14  * part of Sun Microsystems, Inc. to assist in its use, correction,
15  * modification or enhancement.
16  *
17  * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
18  * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
19  * OR ANY PART THEREOF.
20  *
21  * In no event will Sun Microsystems, Inc. be liable for any lost revenue
22  * or profits or other special, indirect and consequential damages, even if
23  * Sun has been advised of the possibility of such damages.
24  *
25  * Sun Microsystems, Inc.
26  * 2550 Garcia Avenue
27  * Mountain View, California  94043
28  *
29  * @(#)keyserv.c	1.15	94/04/25 SMI
30  * $FreeBSD: src/usr.sbin/keyserv/keyserv.c,v 1.3.2.2 2001/07/19 10:58:22 roam Exp $
31  * $DragonFly: src/usr.sbin/keyserv/keyserv.c,v 1.2 2003/06/17 04:29:55 dillon Exp $
32  */
33 
34 /*
35  * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc.
36  */
37 
38 /*
39  * Keyserver
40  * Store secret keys per uid. Do public key encryption and decryption
41  * operations. Generate "random" keys.
42  * Do not talk to anything but a local root
43  * process on the local transport only
44  */
45 
46 #include <err.h>
47 #include <pwd.h>
48 #include <stdio.h>
49 #include <stdlib.h>
50 #include <string.h>
51 #include <unistd.h>
52 #include <sys/stat.h>
53 #include <sys/types.h>
54 #include <rpc/rpc.h>
55 #include <rpc/pmap_clnt.h>
56 #include <sys/param.h>
57 #include <sys/file.h>
58 #include <rpc/des_crypt.h>
59 #include <rpc/des.h>
60 #include <rpc/key_prot.h>
61 #include <rpcsvc/crypt.h>
62 #include "keyserv.h"
63 
64 #ifndef NGROUPS
65 #define	NGROUPS 16
66 #endif
67 
68 #ifndef KEYSERVSOCK
69 #define KEYSERVSOCK "/var/run/keyservsock"
70 #endif
71 
72 static void randomize __P(( des_block * ));
73 static void usage __P(( void ));
74 static int getrootkey __P(( des_block *, int ));
75 static int root_auth __P(( SVCXPRT *, struct svc_req * ));
76 
77 #ifdef DEBUG
78 static int debugging = 1;
79 #else
80 static int debugging = 0;
81 #endif
82 
83 static void keyprogram();
84 static des_block masterkey;
85 char *getenv();
86 static char ROOTKEY[] = "/etc/.rootkey";
87 
88 /*
89  * Hack to allow the keyserver to use AUTH_DES (for authenticated
90  * NIS+ calls, for example).  The only functions that get called
91  * are key_encryptsession_pk, key_decryptsession_pk, and key_gendes.
92  *
93  * The approach is to have the keyserver fill in pointers to local
94  * implementations of these functions, and to call those in key_call().
95  */
96 
97 extern cryptkeyres *(*__key_encryptsession_pk_LOCAL)();
98 extern cryptkeyres *(*__key_decryptsession_pk_LOCAL)();
99 extern des_block *(*__key_gendes_LOCAL)();
100 extern int (*__des_crypt_LOCAL)();
101 
102 cryptkeyres *key_encrypt_pk_2_svc_prog __P(( uid_t, cryptkeyarg2 * ));
103 cryptkeyres *key_decrypt_pk_2_svc_prog __P(( uid_t, cryptkeyarg2 * ));
104 des_block *key_gen_1_svc_prog __P(( void *, struct svc_req * ));
105 
106 int
107 main(argc, argv)
108 	int argc;
109 	char *argv[];
110 {
111 	int nflag = 0;
112 	int c;
113 	register SVCXPRT *transp;
114 	int sock = RPC_ANYSOCK;
115 	int warn = 0;
116 	char *path = NULL;
117 
118 	__key_encryptsession_pk_LOCAL = &key_encrypt_pk_2_svc_prog;
119 	__key_decryptsession_pk_LOCAL = &key_decrypt_pk_2_svc_prog;
120 	__key_gendes_LOCAL = &key_gen_1_svc_prog;
121 
122 	while ((c = getopt(argc, argv, "ndDvp:")) != -1)
123 		switch (c) {
124 		case 'n':
125 			nflag++;
126 			break;
127 		case 'd':
128 			pk_nodefaultkeys();
129 			break;
130 		case 'D':
131 			debugging = 1;
132 			break;
133 		case 'v':
134 			warn = 1;
135 			break;
136 		case 'p':
137 			path = optarg;
138 			break;
139 		default:
140 			usage();
141 		}
142 
143 	load_des(warn, path);
144 	__des_crypt_LOCAL = _my_crypt;
145 	if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1)
146 		errx(1, "failed to register AUTH_DES authenticator");
147 
148 	if (optind != argc) {
149 		usage();
150 	}
151 
152 	/*
153 	 * Initialize
154 	 */
155 	(void) umask(066);	/* paranoia */
156 	if (geteuid() != 0)
157 		errx(1, "keyserv must be run as root");
158 	setmodulus(HEXMODULUS);
159 	getrootkey(&masterkey, nflag);
160 
161 
162 	/* Create services. */
163 
164 	(void) pmap_unset(KEY_PROG, KEY_VERS);
165 	(void) pmap_unset(KEY_PROG, KEY_VERS2);
166 	unlink(KEYSERVSOCK);
167 
168 	transp = svcudp_create(RPC_ANYSOCK);
169 	if (transp == NULL)
170 		errx(1, "cannot create udp service");
171 	if (!svc_register(transp, KEY_PROG, KEY_VERS, keyprogram, IPPROTO_UDP))
172 		errx(1, "unable to register (KEY_PROG, KEY_VERS, udp)");
173 	if (!svc_register(transp, KEY_PROG, KEY_VERS2, keyprogram, IPPROTO_UDP))
174 		errx(1, "unable to register (KEY_PROG, KEY_VERS2, udp)");
175 
176 	transp = svctcp_create(RPC_ANYSOCK, 0, 0);
177 	if (transp == NULL)
178 		errx(1, "cannot create tcp service");
179 	if (!svc_register(transp, KEY_PROG, KEY_VERS, keyprogram, IPPROTO_TCP))
180 		errx(1, "unable to register (KEY_PROG, KEY_VERS, tcp)");
181 	if (!svc_register(transp, KEY_PROG, KEY_VERS2, keyprogram, IPPROTO_TCP))
182 		errx(1, "unable to register (KEY_PROG, KEY_VERS2, tcp)");
183 
184 	transp = svcunix_create(sock, 0, 0, KEYSERVSOCK);
185 	chmod(KEYSERVSOCK, 0666);
186 	if (transp == NULL)
187 		errx(1, "cannot create AF_UNIX service");
188 	if (!svc_register(transp, KEY_PROG, KEY_VERS, keyprogram, 0))
189 		errx(1, "unable to register (KEY_PROG, KEY_VERS, unix)");
190 	if (!svc_register(transp, KEY_PROG, KEY_VERS2, keyprogram, 0))
191 		errx(1, "unable to register (KEY_PROG, KEY_VERS2, unix)");
192 	if (!svc_register(transp, CRYPT_PROG, CRYPT_VERS, crypt_prog_1, 0))
193 		errx(1, "unable to register (CRYPT_PROG, CRYPT_VERS, unix)");
194 
195 	if (!debugging) {
196 		daemon(0,0);
197 	}
198 
199 	signal(SIGPIPE, SIG_IGN);
200 
201 	svc_run();
202 	abort();
203 	/* NOTREACHED */
204 }
205 
206 /*
207  * In the event that we don't get a root password, we try to
208  * randomize the master key the best we can
209  */
210 static void
211 randomize(master)
212 	des_block *master;
213 {
214 	int i;
215 	int seed;
216 	struct timeval tv;
217 	int shift;
218 
219 	seed = 0;
220 	for (i = 0; i < 1024; i++) {
221 		(void) gettimeofday(&tv, (struct timezone *) NULL);
222 		shift = i % 8 * sizeof (int);
223 		seed ^= (tv.tv_usec << shift) | (tv.tv_usec >> (32 - shift));
224 	}
225 #ifdef KEYSERV_RANDOM
226 	srandom(seed);
227 	master->key.low = random();
228 	master->key.high = random();
229 	srandom(seed);
230 #else
231 	/* use stupid dangerous bad rand() */
232 	srand(seed);
233 	master->key.low = rand();
234 	master->key.high = rand();
235 	srand(seed);
236 #endif
237 }
238 
239 /*
240  * Try to get root's secret key, by prompting if terminal is a tty, else trying
241  * from standard input.
242  * Returns 1 on success.
243  */
244 static int
245 getrootkey(master, prompt)
246 	des_block *master;
247 	int prompt;
248 {
249 	char *passwd;
250 	char name[MAXNETNAMELEN + 1];
251 	char secret[HEXKEYBYTES];
252 	key_netstarg netstore;
253 	int fd;
254 
255 	if (!prompt) {
256 		/*
257 		 * Read secret key out of ROOTKEY
258 		 */
259 		fd = open(ROOTKEY, O_RDONLY, 0);
260 		if (fd < 0) {
261 			randomize(master);
262 			return (0);
263 		}
264 		if (read(fd, secret, HEXKEYBYTES) < HEXKEYBYTES) {
265 			warnx("the key read from %s was too short", ROOTKEY);
266 			(void) close(fd);
267 			return (0);
268 		}
269 		(void) close(fd);
270 		if (!getnetname(name)) {
271 		    warnx(
272 	"failed to generate host's netname when establishing root's key");
273 		    return (0);
274 		}
275 		memcpy(netstore.st_priv_key, secret, HEXKEYBYTES);
276 		memset(netstore.st_pub_key, 0, HEXKEYBYTES);
277 		netstore.st_netname = name;
278 		if (pk_netput(0, &netstore) != KEY_SUCCESS) {
279 		    warnx("could not set root's key and netname");
280 		    return (0);
281 		}
282 		return (1);
283 	}
284 	/*
285 	 * Decrypt yellow pages publickey entry to get secret key
286 	 */
287 	passwd = getpass("root password:");
288 	passwd2des(passwd, (char *)master);
289 	getnetname(name);
290 	if (!getsecretkey(name, secret, passwd)) {
291 		warnx("can't find %s's secret key", name);
292 		return (0);
293 	}
294 	if (secret[0] == 0) {
295 		warnx("password does not decrypt secret key for %s", name);
296 		return (0);
297 	}
298 	(void) pk_setkey(0, secret);
299 	/*
300 	 * Store it for future use in $ROOTKEY, if possible
301 	 */
302 	fd = open(ROOTKEY, O_WRONLY|O_TRUNC|O_CREAT, 0);
303 	if (fd > 0) {
304 		char newline = '\n';
305 
306 		write(fd, secret, strlen(secret));
307 		write(fd, &newline, sizeof (newline));
308 		close(fd);
309 	}
310 	return (1);
311 }
312 
313 /*
314  * Procedures to implement RPC service
315  */
316 char *
317 strstatus(status)
318 	keystatus status;
319 {
320 	switch (status) {
321 	case KEY_SUCCESS:
322 		return ("KEY_SUCCESS");
323 	case KEY_NOSECRET:
324 		return ("KEY_NOSECRET");
325 	case KEY_UNKNOWN:
326 		return ("KEY_UNKNOWN");
327 	case KEY_SYSTEMERR:
328 		return ("KEY_SYSTEMERR");
329 	default:
330 		return ("(bad result code)");
331 	}
332 }
333 
334 keystatus *
335 key_set_1_svc_prog(uid, key)
336 	uid_t uid;
337 	keybuf key;
338 {
339 	static keystatus status;
340 
341 	if (debugging) {
342 		(void) fprintf(stderr, "set(%ld, %.*s) = ", uid,
343 				(int) sizeof (keybuf), key);
344 	}
345 	status = pk_setkey(uid, key);
346 	if (debugging) {
347 		(void) fprintf(stderr, "%s\n", strstatus(status));
348 		(void) fflush(stderr);
349 	}
350 	return (&status);
351 }
352 
353 cryptkeyres *
354 key_encrypt_pk_2_svc_prog(uid, arg)
355 	uid_t uid;
356 	cryptkeyarg2 *arg;
357 {
358 	static cryptkeyres res;
359 
360 	if (debugging) {
361 		(void) fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid,
362 				arg->remotename, arg->deskey.key.high,
363 				arg->deskey.key.low);
364 	}
365 	res.cryptkeyres_u.deskey = arg->deskey;
366 	res.status = pk_encrypt(uid, arg->remotename, &(arg->remotekey),
367 				&res.cryptkeyres_u.deskey);
368 	if (debugging) {
369 		if (res.status == KEY_SUCCESS) {
370 			(void) fprintf(stderr, "%08x%08x\n",
371 					res.cryptkeyres_u.deskey.key.high,
372 					res.cryptkeyres_u.deskey.key.low);
373 		} else {
374 			(void) fprintf(stderr, "%s\n", strstatus(res.status));
375 		}
376 		(void) fflush(stderr);
377 	}
378 	return (&res);
379 }
380 
381 cryptkeyres *
382 key_decrypt_pk_2_svc_prog(uid, arg)
383 	uid_t uid;
384 	cryptkeyarg2 *arg;
385 {
386 	static cryptkeyres res;
387 
388 	if (debugging) {
389 		(void) fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid,
390 				arg->remotename, arg->deskey.key.high,
391 				arg->deskey.key.low);
392 	}
393 	res.cryptkeyres_u.deskey = arg->deskey;
394 	res.status = pk_decrypt(uid, arg->remotename, &(arg->remotekey),
395 				&res.cryptkeyres_u.deskey);
396 	if (debugging) {
397 		if (res.status == KEY_SUCCESS) {
398 			(void) fprintf(stderr, "%08x%08x\n",
399 					res.cryptkeyres_u.deskey.key.high,
400 					res.cryptkeyres_u.deskey.key.low);
401 		} else {
402 			(void) fprintf(stderr, "%s\n", strstatus(res.status));
403 		}
404 		(void) fflush(stderr);
405 	}
406 	return (&res);
407 }
408 
409 keystatus *
410 key_net_put_2_svc_prog(uid, arg)
411 	uid_t uid;
412 	key_netstarg *arg;
413 {
414 	static keystatus status;
415 
416 	if (debugging) {
417 		(void) fprintf(stderr, "net_put(%s, %.*s, %.*s) = ",
418 			arg->st_netname, (int)sizeof (arg->st_pub_key),
419 			arg->st_pub_key, (int)sizeof (arg->st_priv_key),
420 			arg->st_priv_key);
421 	};
422 
423 	status = pk_netput(uid, arg);
424 
425 	if (debugging) {
426 		(void) fprintf(stderr, "%s\n", strstatus(status));
427 		(void) fflush(stderr);
428 	}
429 
430 	return (&status);
431 }
432 
433 key_netstres *
434 key_net_get_2_svc_prog(uid, arg)
435 	uid_t uid;
436 	void *arg;
437 {
438 	static key_netstres keynetname;
439 
440 	if (debugging)
441 		(void) fprintf(stderr, "net_get(%ld) = ", uid);
442 
443 	keynetname.status = pk_netget(uid, &keynetname.key_netstres_u.knet);
444 	if (debugging) {
445 		if (keynetname.status == KEY_SUCCESS) {
446 			fprintf(stderr, "<%s, %.*s, %.*s>\n",
447 			keynetname.key_netstres_u.knet.st_netname,
448 			(int)sizeof (keynetname.key_netstres_u.knet.st_pub_key),
449 			keynetname.key_netstres_u.knet.st_pub_key,
450 			(int)sizeof (keynetname.key_netstres_u.knet.st_priv_key),
451 			keynetname.key_netstres_u.knet.st_priv_key);
452 		} else {
453 			(void) fprintf(stderr, "NOT FOUND\n");
454 		}
455 		(void) fflush(stderr);
456 	}
457 
458 	return (&keynetname);
459 
460 }
461 
462 cryptkeyres *
463 key_get_conv_2_svc_prog(uid, arg)
464 	uid_t uid;
465 	keybuf arg;
466 {
467 	static cryptkeyres  res;
468 
469 	if (debugging)
470 		(void) fprintf(stderr, "get_conv(%ld, %.*s) = ", uid,
471 			(int)sizeof (arg), arg);
472 
473 
474 	res.status = pk_get_conv_key(uid, arg, &res);
475 
476 	if (debugging) {
477 		if (res.status == KEY_SUCCESS) {
478 			(void) fprintf(stderr, "%08x%08x\n",
479 				res.cryptkeyres_u.deskey.key.high,
480 				res.cryptkeyres_u.deskey.key.low);
481 		} else {
482 			(void) fprintf(stderr, "%s\n", strstatus(res.status));
483 		}
484 		(void) fflush(stderr);
485 	}
486 	return (&res);
487 }
488 
489 
490 cryptkeyres *
491 key_encrypt_1_svc_prog(uid, arg)
492 	uid_t uid;
493 	cryptkeyarg *arg;
494 {
495 	static cryptkeyres res;
496 
497 	if (debugging) {
498 		(void) fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid,
499 				arg->remotename, arg->deskey.key.high,
500 				arg->deskey.key.low);
501 	}
502 	res.cryptkeyres_u.deskey = arg->deskey;
503 	res.status = pk_encrypt(uid, arg->remotename, NULL,
504 				&res.cryptkeyres_u.deskey);
505 	if (debugging) {
506 		if (res.status == KEY_SUCCESS) {
507 			(void) fprintf(stderr, "%08x%08x\n",
508 					res.cryptkeyres_u.deskey.key.high,
509 					res.cryptkeyres_u.deskey.key.low);
510 		} else {
511 			(void) fprintf(stderr, "%s\n", strstatus(res.status));
512 		}
513 		(void) fflush(stderr);
514 	}
515 	return (&res);
516 }
517 
518 cryptkeyres *
519 key_decrypt_1_svc_prog(uid, arg)
520 	uid_t uid;
521 	cryptkeyarg *arg;
522 {
523 	static cryptkeyres res;
524 
525 	if (debugging) {
526 		(void) fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid,
527 				arg->remotename, arg->deskey.key.high,
528 				arg->deskey.key.low);
529 	}
530 	res.cryptkeyres_u.deskey = arg->deskey;
531 	res.status = pk_decrypt(uid, arg->remotename, NULL,
532 				&res.cryptkeyres_u.deskey);
533 	if (debugging) {
534 		if (res.status == KEY_SUCCESS) {
535 			(void) fprintf(stderr, "%08x%08x\n",
536 					res.cryptkeyres_u.deskey.key.high,
537 					res.cryptkeyres_u.deskey.key.low);
538 		} else {
539 			(void) fprintf(stderr, "%s\n", strstatus(res.status));
540 		}
541 		(void) fflush(stderr);
542 	}
543 	return (&res);
544 }
545 
546 /* ARGSUSED */
547 des_block *
548 key_gen_1_svc_prog(v, s)
549 	void	*v;
550 	struct svc_req	*s;
551 {
552 	struct timeval time;
553 	static des_block keygen;
554 	static des_block key;
555 
556 	(void) gettimeofday(&time, (struct timezone *) NULL);
557 	keygen.key.high += (time.tv_sec ^ time.tv_usec);
558 	keygen.key.low += (time.tv_sec ^ time.tv_usec);
559 	ecb_crypt((char *)&masterkey, (char *)&keygen, sizeof (keygen),
560 		DES_ENCRYPT | DES_HW);
561 	key = keygen;
562 	des_setparity((char *)&key);
563 	if (debugging) {
564 		(void) fprintf(stderr, "gen() = %08x%08x\n", key.key.high,
565 					key.key.low);
566 		(void) fflush(stderr);
567 	}
568 	return (&key);
569 }
570 
571 getcredres *
572 key_getcred_1_svc_prog(uid, name)
573 	uid_t uid;
574 	netnamestr *name;
575 {
576 	static getcredres res;
577 	static u_int gids[NGROUPS];
578 	struct unixcred *cred;
579 
580 	cred = &res.getcredres_u.cred;
581 	cred->gids.gids_val = gids;
582 	if (!netname2user(*name, (uid_t *) &cred->uid, (gid_t *) &cred->gid,
583 			(int *)&cred->gids.gids_len, (gid_t *)gids)) {
584 		res.status = KEY_UNKNOWN;
585 	} else {
586 		res.status = KEY_SUCCESS;
587 	}
588 	if (debugging) {
589 		(void) fprintf(stderr, "getcred(%s) = ", *name);
590 		if (res.status == KEY_SUCCESS) {
591 			(void) fprintf(stderr, "uid=%d, gid=%d, grouplen=%d\n",
592 				cred->uid, cred->gid, cred->gids.gids_len);
593 		} else {
594 			(void) fprintf(stderr, "%s\n", strstatus(res.status));
595 		}
596 		(void) fflush(stderr);
597 	}
598 	return (&res);
599 }
600 
601 /*
602  * RPC boilerplate
603  */
604 static void
605 keyprogram(rqstp, transp)
606 	struct svc_req *rqstp;
607 	SVCXPRT *transp;
608 {
609 	union {
610 		keybuf key_set_1_arg;
611 		cryptkeyarg key_encrypt_1_arg;
612 		cryptkeyarg key_decrypt_1_arg;
613 		netnamestr key_getcred_1_arg;
614 		cryptkeyarg key_encrypt_2_arg;
615 		cryptkeyarg key_decrypt_2_arg;
616 		netnamestr key_getcred_2_arg;
617 		cryptkeyarg2 key_encrypt_pk_2_arg;
618 		cryptkeyarg2 key_decrypt_pk_2_arg;
619 		key_netstarg key_net_put_2_arg;
620 		netobj  key_get_conv_2_arg;
621 	} argument;
622 	char *result;
623 	bool_t(*xdr_argument)(), (*xdr_result)();
624 	char *(*local) ();
625 	uid_t uid = -1;
626 	int check_auth;
627 
628 	switch (rqstp->rq_proc) {
629 	case NULLPROC:
630 		svc_sendreply(transp, xdr_void, (char *)NULL);
631 		return;
632 
633 	case KEY_SET:
634 		xdr_argument = xdr_keybuf;
635 		xdr_result = xdr_int;
636 		local = (char *(*)()) key_set_1_svc_prog;
637 		check_auth = 1;
638 		break;
639 
640 	case KEY_ENCRYPT:
641 		xdr_argument = xdr_cryptkeyarg;
642 		xdr_result = xdr_cryptkeyres;
643 		local = (char *(*)()) key_encrypt_1_svc_prog;
644 		check_auth = 1;
645 		break;
646 
647 	case KEY_DECRYPT:
648 		xdr_argument = xdr_cryptkeyarg;
649 		xdr_result = xdr_cryptkeyres;
650 		local = (char *(*)()) key_decrypt_1_svc_prog;
651 		check_auth = 1;
652 		break;
653 
654 	case KEY_GEN:
655 		xdr_argument = xdr_void;
656 		xdr_result = xdr_des_block;
657 		local = (char *(*)()) key_gen_1_svc_prog;
658 		check_auth = 0;
659 		break;
660 
661 	case KEY_GETCRED:
662 		xdr_argument = xdr_netnamestr;
663 		xdr_result = xdr_getcredres;
664 		local = (char *(*)()) key_getcred_1_svc_prog;
665 		check_auth = 0;
666 		break;
667 
668 	case KEY_ENCRYPT_PK:
669 		xdr_argument = xdr_cryptkeyarg2;
670 		xdr_result = xdr_cryptkeyres;
671 		local = (char *(*)()) key_encrypt_pk_2_svc_prog;
672 		check_auth = 1;
673 		break;
674 
675 	case KEY_DECRYPT_PK:
676 		xdr_argument = xdr_cryptkeyarg2;
677 		xdr_result = xdr_cryptkeyres;
678 		local = (char *(*)()) key_decrypt_pk_2_svc_prog;
679 		check_auth = 1;
680 		break;
681 
682 
683 	case KEY_NET_PUT:
684 		xdr_argument = xdr_key_netstarg;
685 		xdr_result = xdr_keystatus;
686 		local = (char *(*)()) key_net_put_2_svc_prog;
687 		check_auth = 1;
688 		break;
689 
690 	case KEY_NET_GET:
691 		xdr_argument = (xdrproc_t) xdr_void;
692 		xdr_result = xdr_key_netstres;
693 		local = (char *(*)()) key_net_get_2_svc_prog;
694 		check_auth = 1;
695 		break;
696 
697 	case KEY_GET_CONV:
698 		xdr_argument = (xdrproc_t) xdr_keybuf;
699 		xdr_result = xdr_cryptkeyres;
700 		local = (char *(*)()) key_get_conv_2_svc_prog;
701 		check_auth = 1;
702 		break;
703 
704 	default:
705 		svcerr_noproc(transp);
706 		return;
707 	}
708 	if (check_auth) {
709 		if (root_auth(transp, rqstp) == 0) {
710 			if (debugging) {
711 				(void) fprintf(stderr,
712 				"not local privileged process\n");
713 			}
714 			svcerr_weakauth(transp);
715 			return;
716 		}
717 		if (rqstp->rq_cred.oa_flavor != AUTH_SYS) {
718 			if (debugging) {
719 				(void) fprintf(stderr,
720 				"not unix authentication\n");
721 			}
722 			svcerr_weakauth(transp);
723 			return;
724 		}
725 		uid = ((struct authsys_parms *)rqstp->rq_clntcred)->aup_uid;
726 	}
727 
728 	memset((char *) &argument, 0, sizeof (argument));
729 	if (!svc_getargs(transp, xdr_argument, (caddr_t)&argument)) {
730 		svcerr_decode(transp);
731 		return;
732 	}
733 	result = (*local) (uid, &argument);
734 	if (!svc_sendreply(transp, xdr_result, (char *) result)) {
735 		if (debugging)
736 			(void) fprintf(stderr, "unable to reply\n");
737 		svcerr_systemerr(transp);
738 	}
739 	if (!svc_freeargs(transp, xdr_argument, (caddr_t)&argument)) {
740 		if (debugging)
741 			(void) fprintf(stderr,
742 			"unable to free arguments\n");
743 		exit(1);
744 	}
745 	return;
746 }
747 
748 static int
749 root_auth(trans, rqstp)
750 	SVCXPRT *trans;
751 	struct svc_req *rqstp;
752 {
753 	uid_t uid;
754 	struct sockaddr_in *remote;
755 
756 	remote = svc_getcaller(trans);
757 	if (remote->sin_family == AF_INET) {
758 		if (debugging)
759 			fprintf(stderr, "client didn't use AF_UNIX\n");
760 		return (0);
761 	}
762 
763 	if (__rpc_get_local_uid(&uid, trans) < 0) {
764 		if (debugging)
765 			fprintf(stderr, "__rpc_get_local_uid failed\n");
766 		return (0);
767 	}
768 
769 	if (debugging)
770 		fprintf(stderr, "local_uid  %ld\n", uid);
771 	if (uid == 0)
772 		return (1);
773 	if (rqstp->rq_cred.oa_flavor == AUTH_SYS) {
774 		if (((uid_t) ((struct authunix_parms *)
775 			rqstp->rq_clntcred)->aup_uid)
776 			== uid) {
777 			return (1);
778 		} else {
779 			if (debugging)
780 				fprintf(stderr,
781 			"local_uid  %ld mismatches auth %ld\n", uid,
782 ((uid_t) ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid));
783 			return (0);
784 		}
785 	} else {
786 		if (debugging)
787 			fprintf(stderr, "Not auth sys\n");
788 		return (0);
789 	}
790 }
791 
792 static void
793 usage()
794 {
795 	(void) fprintf(stderr,
796 			"usage: keyserv [-n] [-D] [-d] [-v] [-p path]\n");
797 	(void) fprintf(stderr, "-d disables the use of default keys\n");
798 	exit(1);
799 }
800