xref: /dragonfly/usr.sbin/keyserv/keyserv.c (revision 768af85b) 
1 /*
2  * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
3  * unrestricted use provided that this legend is included on all tape
4  * media and as a part of the software program in whole or part.  Users
5  * may copy or modify Sun RPC without charge, but are not authorized
6  * to license or distribute it to anyone else except as part of a product or
7  * program developed by the user.
8  *
9  * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
10  * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
11  * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
12  *
13  * Sun RPC is provided with no support and without any obligation on the
14  * part of Sun Microsystems, Inc. to assist in its use, correction,
15  * modification or enhancement.
16  *
17  * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
18  * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
19  * OR ANY PART THEREOF.
20  *
21  * In no event will Sun Microsystems, Inc. be liable for any lost revenue
22  * or profits or other special, indirect and consequential damages, even if
23  * Sun has been advised of the possibility of such damages.
24  *
25  * Sun Microsystems, Inc.
26  * 2550 Garcia Avenue
27  * Mountain View, California  94043
28  *
29  * @(#)keyserv.c	1.15	94/04/25 SMI
30  * $FreeBSD: src/usr.sbin/keyserv/keyserv.c,v 1.12 2007/11/07 10:53:35 kevlo Exp $
31  * $DragonFly: src/usr.sbin/keyserv/keyserv.c,v 1.6 2004/12/18 22:48:03 swildner Exp $
32  */
33 
34 /*
35  * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc.
36  */
37 
38 /*
39  * Keyserver
40  * Store secret keys per uid. Do public key encryption and decryption
41  * operations. Generate "random" keys.
42  * Do not talk to anything but a local root
43  * process on the local transport only
44  */
45 
46 #include <err.h>
47 #include <pwd.h>
48 #include <stdio.h>
49 #include <stdlib.h>
50 #include <string.h>
51 #include <unistd.h>
52 #include <sys/stat.h>
53 #include <sys/types.h>
54 #include <rpc/rpc.h>
55 #include <sys/param.h>
56 #include <sys/file.h>
57 #include <rpc/des_crypt.h>
58 #include <rpc/des.h>
59 #include <rpc/key_prot.h>
60 #include <rpcsvc/crypt.h>
61 #include "keyserv.h"
62 
63 #ifndef NGROUPS
64 #define	NGROUPS 16
65 #endif
66 
67 #ifndef KEYSERVSOCK
68 #define KEYSERVSOCK "/var/run/keyservsock"
69 #endif
70 
71 static void randomize( des_block * );
72 static void usage( void );
73 static int getrootkey( des_block *, int );
74 static int root_auth( SVCXPRT *, struct svc_req * );
75 
76 #ifdef DEBUG
77 static int debugging = 1;
78 #else
79 static int debugging = 0;
80 #endif
81 
82 static void keyprogram();
83 static des_block masterkey;
84 char *getenv();
85 static char ROOTKEY[] = "/etc/.rootkey";
86 
87 /*
88  * Hack to allow the keyserver to use AUTH_DES (for authenticated
89  * NIS+ calls, for example).  The only functions that get called
90  * are key_encryptsession_pk, key_decryptsession_pk, and key_gendes.
91  *
92  * The approach is to have the keyserver fill in pointers to local
93  * implementations of these functions, and to call those in key_call().
94  */
95 
96 extern cryptkeyres *(*__key_encryptsession_pk_LOCAL)();
97 extern cryptkeyres *(*__key_decryptsession_pk_LOCAL)();
98 extern des_block *(*__key_gendes_LOCAL)();
99 extern int (*__des_crypt_LOCAL)();
100 
101 cryptkeyres *key_encrypt_pk_2_svc_prog( uid_t, cryptkeyarg2 * );
102 cryptkeyres *key_decrypt_pk_2_svc_prog( uid_t, cryptkeyarg2 * );
103 des_block *key_gen_1_svc_prog( void *, struct svc_req * );
104 
105 int
106 main(int argc, char **argv)
107 {
108 	int nflag = 0;
109 	int c;
110 	int warn = 0;
111 	char *path = NULL;
112 	void *localhandle;
113 	SVCXPRT *transp;
114 	struct netconfig *nconf = NULL;
115 
116 	__key_encryptsession_pk_LOCAL = &key_encrypt_pk_2_svc_prog;
117 	__key_decryptsession_pk_LOCAL = &key_decrypt_pk_2_svc_prog;
118 	__key_gendes_LOCAL = &key_gen_1_svc_prog;
119 
120 	while ((c = getopt(argc, argv, "ndDvp:")) != -1)
121 		switch (c) {
122 		case 'n':
123 			nflag++;
124 			break;
125 		case 'd':
126 			pk_nodefaultkeys();
127 			break;
128 		case 'D':
129 			debugging = 1;
130 			break;
131 		case 'v':
132 			warn = 1;
133 			break;
134 		case 'p':
135 			path = optarg;
136 			break;
137 		default:
138 			usage();
139 		}
140 
141 	load_des(warn, path);
142 	__des_crypt_LOCAL = _my_crypt;
143 	if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1)
144 		errx(1, "failed to register AUTH_DES authenticator");
145 
146 	if (optind != argc) {
147 		usage();
148 	}
149 
150 	/*
151 	 * Initialize
152 	 */
153 	umask(S_IXUSR|S_IXGRP|S_IXOTH);
154 	if (geteuid() != 0)
155 		errx(1, "keyserv must be run as root");
156 	setmodulus(HEXMODULUS);
157 	getrootkey(&masterkey, nflag);
158 
159 	rpcb_unset(KEY_PROG, KEY_VERS, NULL);
160 	rpcb_unset(KEY_PROG, KEY_VERS2, NULL);
161 
162 	if (svc_create(keyprogram, KEY_PROG, KEY_VERS,
163 		"netpath") == 0) {
164 		fprintf(stderr, "%s: unable to create service\n", argv[0]);
165 		exit(1);
166 	}
167 
168 	if (svc_create(keyprogram, KEY_PROG, KEY_VERS2,
169 	"netpath") == 0) {
170 		fprintf(stderr, "%s: unable to create service\n", argv[0]);
171 		exit(1);
172 	}
173 
174 	localhandle = setnetconfig();
175 	while ((nconf = getnetconfig(localhandle)) != NULL) {
176 		if (nconf->nc_protofmly != NULL &&
177 		    strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0)
178 			break;
179 	}
180 
181 	if (nconf == NULL)
182 		errx(1, "getnetconfig: %s", nc_sperror());
183 
184 	unlink(KEYSERVSOCK);
185 	rpcb_unset(CRYPT_PROG, CRYPT_VERS, nconf);
186 	transp = svcunix_create(RPC_ANYSOCK, 0, 0, KEYSERVSOCK);
187 	if (transp == NULL)
188 		errx(1, "cannot create AF_LOCAL service");
189 	if (!svc_reg(transp, KEY_PROG, KEY_VERS, keyprogram, nconf))
190 		errx(1, "unable to register (KEY_PROG, KEY_VERS, unix)");
191 	if (!svc_reg(transp, KEY_PROG, KEY_VERS2, keyprogram, nconf))
192 		errx(1, "unable to register (KEY_PROG, KEY_VERS2, unix)");
193 	if (!svc_reg(transp, CRYPT_PROG, CRYPT_VERS, crypt_prog_1, nconf))
194 		errx(1, "unable to register (CRYPT_PROG, CRYPT_VERS, unix)");
195 
196 	endnetconfig(localhandle);
197 
198 	umask(066);	/* paranoia */
199 
200 	if (!debugging) {
201 		daemon(0,0);
202 	}
203 
204 	signal(SIGPIPE, SIG_IGN);
205 
206 	svc_run();
207 	abort();
208 	/* NOTREACHED */
209 }
210 
211 /*
212  * In the event that we don't get a root password, we try to
213  * randomize the master key the best we can
214  */
215 static void
216 randomize(des_block *master)
217 {
218 #ifdef KEYSERV_RANDOM
219 	master->key.low = arc4random();
220 	master->key.high = arc4random();
221 #else
222 	/* use stupid dangerous bad rand() */
223 	sranddev();
224 	master->key.low = rand();
225 	master->key.high = rand();
226 #endif
227 }
228 
229 /*
230  * Try to get root's secret key, by prompting if terminal is a tty, else trying
231  * from standard input.
232  * Returns 1 on success.
233  */
234 static int
235 getrootkey(des_block *master, int prompt)
236 {
237 	char *passwd;
238 	char name[MAXNETNAMELEN + 1];
239 	char secret[HEXKEYBYTES];
240 	key_netstarg netstore;
241 	int fd;
242 
243 	if (!prompt) {
244 		/*
245 		 * Read secret key out of ROOTKEY
246 		 */
247 		fd = open(ROOTKEY, O_RDONLY, 0);
248 		if (fd < 0) {
249 			randomize(master);
250 			return (0);
251 		}
252 		if (read(fd, secret, HEXKEYBYTES) < HEXKEYBYTES) {
253 			warnx("the key read from %s was too short", ROOTKEY);
254 			close(fd);
255 			return (0);
256 		}
257 		close(fd);
258 		if (!getnetname(name)) {
259 		    warnx(
260 	"failed to generate host's netname when establishing root's key");
261 		    return (0);
262 		}
263 		memcpy(netstore.st_priv_key, secret, HEXKEYBYTES);
264 		memset(netstore.st_pub_key, 0, HEXKEYBYTES);
265 		netstore.st_netname = name;
266 		if (pk_netput(0, &netstore) != KEY_SUCCESS) {
267 		    warnx("could not set root's key and netname");
268 		    return (0);
269 		}
270 		return (1);
271 	}
272 	/*
273 	 * Decrypt yellow pages publickey entry to get secret key
274 	 */
275 	passwd = getpass("root password:");
276 	passwd2des(passwd, (char *)master);
277 	getnetname(name);
278 	if (!getsecretkey(name, secret, passwd)) {
279 		warnx("can't find %s's secret key", name);
280 		return (0);
281 	}
282 	if (secret[0] == 0) {
283 		warnx("password does not decrypt secret key for %s", name);
284 		return (0);
285 	}
286 	pk_setkey(0, secret);
287 	/*
288 	 * Store it for future use in $ROOTKEY, if possible
289 	 */
290 	fd = open(ROOTKEY, O_WRONLY|O_TRUNC|O_CREAT, 0);
291 	if (fd > 0) {
292 		char newline = '\n';
293 
294 		write(fd, secret, strlen(secret));
295 		write(fd, &newline, sizeof (newline));
296 		close(fd);
297 	}
298 	return (1);
299 }
300 
301 /*
302  * Procedures to implement RPC service
303  */
304 char *
305 strstatus(keystatus status)
306 {
307 	switch (status) {
308 	case KEY_SUCCESS:
309 		return ("KEY_SUCCESS");
310 	case KEY_NOSECRET:
311 		return ("KEY_NOSECRET");
312 	case KEY_UNKNOWN:
313 		return ("KEY_UNKNOWN");
314 	case KEY_SYSTEMERR:
315 		return ("KEY_SYSTEMERR");
316 	default:
317 		return ("(bad result code)");
318 	}
319 }
320 
321 keystatus *
322 key_set_1_svc_prog(uid_t uid, keybuf key)
323 {
324 	static keystatus status;
325 
326 	if (debugging) {
327 		fprintf(stderr, "set(%ld, %.*s) = ", uid,
328 				(int) sizeof (keybuf), key);
329 	}
330 	status = pk_setkey(uid, key);
331 	if (debugging) {
332 		fprintf(stderr, "%s\n", strstatus(status));
333 		fflush(stderr);
334 	}
335 	return (&status);
336 }
337 
338 cryptkeyres *
339 key_encrypt_pk_2_svc_prog(uid_t uid, cryptkeyarg2 *arg)
340 {
341 	static cryptkeyres res;
342 
343 	if (debugging) {
344 		fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid,
345 				arg->remotename, arg->deskey.key.high,
346 				arg->deskey.key.low);
347 	}
348 	res.cryptkeyres_u.deskey = arg->deskey;
349 	res.status = pk_encrypt(uid, arg->remotename, &(arg->remotekey),
350 				&res.cryptkeyres_u.deskey);
351 	if (debugging) {
352 		if (res.status == KEY_SUCCESS) {
353 			fprintf(stderr, "%08x%08x\n",
354 					res.cryptkeyres_u.deskey.key.high,
355 					res.cryptkeyres_u.deskey.key.low);
356 		} else {
357 			fprintf(stderr, "%s\n", strstatus(res.status));
358 		}
359 		fflush(stderr);
360 	}
361 	return (&res);
362 }
363 
364 cryptkeyres *
365 key_decrypt_pk_2_svc_prog(uid_t uid, cryptkeyarg2 *arg)
366 {
367 	static cryptkeyres res;
368 
369 	if (debugging) {
370 		fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid,
371 				arg->remotename, arg->deskey.key.high,
372 				arg->deskey.key.low);
373 	}
374 	res.cryptkeyres_u.deskey = arg->deskey;
375 	res.status = pk_decrypt(uid, arg->remotename, &(arg->remotekey),
376 				&res.cryptkeyres_u.deskey);
377 	if (debugging) {
378 		if (res.status == KEY_SUCCESS) {
379 			fprintf(stderr, "%08x%08x\n",
380 					res.cryptkeyres_u.deskey.key.high,
381 					res.cryptkeyres_u.deskey.key.low);
382 		} else {
383 			fprintf(stderr, "%s\n", strstatus(res.status));
384 		}
385 		fflush(stderr);
386 	}
387 	return (&res);
388 }
389 
390 keystatus *
391 key_net_put_2_svc_prog(uid_t uid, key_netstarg *arg)
392 {
393 	static keystatus status;
394 
395 	if (debugging) {
396 		fprintf(stderr, "net_put(%s, %.*s, %.*s) = ",
397 			arg->st_netname, (int)sizeof (arg->st_pub_key),
398 			arg->st_pub_key, (int)sizeof (arg->st_priv_key),
399 			arg->st_priv_key);
400 	};
401 
402 	status = pk_netput(uid, arg);
403 
404 	if (debugging) {
405 		fprintf(stderr, "%s\n", strstatus(status));
406 		fflush(stderr);
407 	}
408 
409 	return (&status);
410 }
411 
412 key_netstres *
413 key_net_get_2_svc_prog(uid_t uid, void *arg)
414 {
415 	static key_netstres keynetname;
416 
417 	if (debugging)
418 		fprintf(stderr, "net_get(%ld) = ", uid);
419 
420 	keynetname.status = pk_netget(uid, &keynetname.key_netstres_u.knet);
421 	if (debugging) {
422 		if (keynetname.status == KEY_SUCCESS) {
423 			fprintf(stderr, "<%s, %.*s, %.*s>\n",
424 			keynetname.key_netstres_u.knet.st_netname,
425 			(int)sizeof (keynetname.key_netstres_u.knet.st_pub_key),
426 			keynetname.key_netstres_u.knet.st_pub_key,
427 			(int)sizeof (keynetname.key_netstres_u.knet.st_priv_key),
428 			keynetname.key_netstres_u.knet.st_priv_key);
429 		} else {
430 			fprintf(stderr, "NOT FOUND\n");
431 		}
432 		fflush(stderr);
433 	}
434 
435 	return (&keynetname);
436 
437 }
438 
439 cryptkeyres *
440 key_get_conv_2_svc_prog(uid_t uid, keybuf arg)
441 {
442 	static cryptkeyres  res;
443 
444 	if (debugging)
445 		fprintf(stderr, "get_conv(%ld, %.*s) = ", uid,
446 			(int)sizeof (arg), arg);
447 
448 
449 	res.status = pk_get_conv_key(uid, arg, &res);
450 
451 	if (debugging) {
452 		if (res.status == KEY_SUCCESS) {
453 			fprintf(stderr, "%08x%08x\n",
454 				res.cryptkeyres_u.deskey.key.high,
455 				res.cryptkeyres_u.deskey.key.low);
456 		} else {
457 			fprintf(stderr, "%s\n", strstatus(res.status));
458 		}
459 		fflush(stderr);
460 	}
461 	return (&res);
462 }
463 
464 
465 cryptkeyres *
466 key_encrypt_1_svc_prog(uid_t uid, cryptkeyarg *arg)
467 {
468 	static cryptkeyres res;
469 
470 	if (debugging) {
471 		fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid,
472 				arg->remotename, arg->deskey.key.high,
473 				arg->deskey.key.low);
474 	}
475 	res.cryptkeyres_u.deskey = arg->deskey;
476 	res.status = pk_encrypt(uid, arg->remotename, NULL,
477 				&res.cryptkeyres_u.deskey);
478 	if (debugging) {
479 		if (res.status == KEY_SUCCESS) {
480 			fprintf(stderr, "%08x%08x\n",
481 					res.cryptkeyres_u.deskey.key.high,
482 					res.cryptkeyres_u.deskey.key.low);
483 		} else {
484 			fprintf(stderr, "%s\n", strstatus(res.status));
485 		}
486 		fflush(stderr);
487 	}
488 	return (&res);
489 }
490 
491 cryptkeyres *
492 key_decrypt_1_svc_prog(uid_t uid, cryptkeyarg *arg)
493 {
494 	static cryptkeyres res;
495 
496 	if (debugging) {
497 		fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid,
498 				arg->remotename, arg->deskey.key.high,
499 				arg->deskey.key.low);
500 	}
501 	res.cryptkeyres_u.deskey = arg->deskey;
502 	res.status = pk_decrypt(uid, arg->remotename, NULL,
503 				&res.cryptkeyres_u.deskey);
504 	if (debugging) {
505 		if (res.status == KEY_SUCCESS) {
506 			fprintf(stderr, "%08x%08x\n",
507 					res.cryptkeyres_u.deskey.key.high,
508 					res.cryptkeyres_u.deskey.key.low);
509 		} else {
510 			fprintf(stderr, "%s\n", strstatus(res.status));
511 		}
512 		fflush(stderr);
513 	}
514 	return (&res);
515 }
516 
517 /* ARGSUSED */
518 des_block *
519 key_gen_1_svc_prog(void *v, struct svc_req *s)
520 {
521 	struct timeval time;
522 	static des_block keygen;
523 	static des_block key;
524 
525 	gettimeofday(&time, NULL);
526 	keygen.key.high += (time.tv_sec ^ time.tv_usec);
527 	keygen.key.low += (time.tv_sec ^ time.tv_usec);
528 	ecb_crypt((char *)&masterkey, (char *)&keygen, sizeof (keygen),
529 		DES_ENCRYPT | DES_HW);
530 	key = keygen;
531 	des_setparity((char *)&key);
532 	if (debugging) {
533 		fprintf(stderr, "gen() = %08x%08x\n", key.key.high,
534 					key.key.low);
535 		fflush(stderr);
536 	}
537 	return (&key);
538 }
539 
540 getcredres *
541 key_getcred_1_svc_prog(uid_t uid, netnamestr *name)
542 {
543 	static getcredres res;
544 	static u_int gids[NGROUPS];
545 	struct unixcred *cred;
546 
547 	cred = &res.getcredres_u.cred;
548 	cred->gids.gids_val = gids;
549 	if (!netname2user(*name, (uid_t *) &cred->uid, (gid_t *) &cred->gid,
550 			(int *)&cred->gids.gids_len, (gid_t *)gids)) {
551 		res.status = KEY_UNKNOWN;
552 	} else {
553 		res.status = KEY_SUCCESS;
554 	}
555 	if (debugging) {
556 		fprintf(stderr, "getcred(%s) = ", *name);
557 		if (res.status == KEY_SUCCESS) {
558 			fprintf(stderr, "uid=%d, gid=%d, grouplen=%d\n",
559 				cred->uid, cred->gid, cred->gids.gids_len);
560 		} else {
561 			fprintf(stderr, "%s\n", strstatus(res.status));
562 		}
563 		fflush(stderr);
564 	}
565 	return (&res);
566 }
567 
568 /*
569  * RPC boilerplate
570  */
571 static void
572 keyprogram(struct svc_req *rqstp, SVCXPRT *transp)
573 {
574 	union {
575 		keybuf key_set_1_arg;
576 		cryptkeyarg key_encrypt_1_arg;
577 		cryptkeyarg key_decrypt_1_arg;
578 		netnamestr key_getcred_1_arg;
579 		cryptkeyarg key_encrypt_2_arg;
580 		cryptkeyarg key_decrypt_2_arg;
581 		netnamestr key_getcred_2_arg;
582 		cryptkeyarg2 key_encrypt_pk_2_arg;
583 		cryptkeyarg2 key_decrypt_pk_2_arg;
584 		key_netstarg key_net_put_2_arg;
585 		netobj  key_get_conv_2_arg;
586 	} argument;
587 	char *result;
588 	xdrproc_t xdr_argument, xdr_result;
589 	char *(*local) ();
590 	uid_t uid = -1;
591 	int check_auth;
592 
593 	switch (rqstp->rq_proc) {
594 	case NULLPROC:
595 		svc_sendreply(transp, (xdrproc_t)xdr_void, NULL);
596 		return;
597 
598 	case KEY_SET:
599 		xdr_argument = (xdrproc_t)xdr_keybuf;
600 		xdr_result = (xdrproc_t)xdr_int;
601 		local = (char *(*)()) key_set_1_svc_prog;
602 		check_auth = 1;
603 		break;
604 
605 	case KEY_ENCRYPT:
606 		xdr_argument = (xdrproc_t)xdr_cryptkeyarg;
607 		xdr_result = (xdrproc_t)xdr_cryptkeyres;
608 		local = (char *(*)()) key_encrypt_1_svc_prog;
609 		check_auth = 1;
610 		break;
611 
612 	case KEY_DECRYPT:
613 		xdr_argument = (xdrproc_t)xdr_cryptkeyarg;
614 		xdr_result = (xdrproc_t)xdr_cryptkeyres;
615 		local = (char *(*)()) key_decrypt_1_svc_prog;
616 		check_auth = 1;
617 		break;
618 
619 	case KEY_GEN:
620 		xdr_argument = (xdrproc_t)xdr_void;
621 		xdr_result = (xdrproc_t)xdr_des_block;
622 		local = (char *(*)()) key_gen_1_svc_prog;
623 		check_auth = 0;
624 		break;
625 
626 	case KEY_GETCRED:
627 		xdr_argument = (xdrproc_t)xdr_netnamestr;
628 		xdr_result = (xdrproc_t)xdr_getcredres;
629 		local = (char *(*)()) key_getcred_1_svc_prog;
630 		check_auth = 0;
631 		break;
632 
633 	case KEY_ENCRYPT_PK:
634 		xdr_argument = (xdrproc_t)xdr_cryptkeyarg2;
635 		xdr_result = (xdrproc_t)xdr_cryptkeyres;
636 		local = (char *(*)()) key_encrypt_pk_2_svc_prog;
637 		check_auth = 1;
638 		break;
639 
640 	case KEY_DECRYPT_PK:
641 		xdr_argument = (xdrproc_t)xdr_cryptkeyarg2;
642 		xdr_result = (xdrproc_t)xdr_cryptkeyres;
643 		local = (char *(*)()) key_decrypt_pk_2_svc_prog;
644 		check_auth = 1;
645 		break;
646 
647 
648 	case KEY_NET_PUT:
649 		xdr_argument = (xdrproc_t)xdr_key_netstarg;
650 		xdr_result = (xdrproc_t)xdr_keystatus;
651 		local = (char *(*)()) key_net_put_2_svc_prog;
652 		check_auth = 1;
653 		break;
654 
655 	case KEY_NET_GET:
656 		xdr_argument = (xdrproc_t) xdr_void;
657 		xdr_result = (xdrproc_t)xdr_key_netstres;
658 		local = (char *(*)()) key_net_get_2_svc_prog;
659 		check_auth = 1;
660 		break;
661 
662 	case KEY_GET_CONV:
663 		xdr_argument = (xdrproc_t) xdr_keybuf;
664 		xdr_result = (xdrproc_t)xdr_cryptkeyres;
665 		local = (char *(*)()) key_get_conv_2_svc_prog;
666 		check_auth = 1;
667 		break;
668 
669 	default:
670 		svcerr_noproc(transp);
671 		return;
672 	}
673 	if (check_auth) {
674 		if (root_auth(transp, rqstp) == 0) {
675 			if (debugging) {
676 				fprintf(stderr,
677 					"not local privileged process\n");
678 			}
679 			svcerr_weakauth(transp);
680 			return;
681 		}
682 		if (rqstp->rq_cred.oa_flavor != AUTH_SYS) {
683 			if (debugging) {
684 				fprintf(stderr, "not unix authentication\n");
685 			}
686 			svcerr_weakauth(transp);
687 			return;
688 		}
689 		uid = ((struct authsys_parms *)rqstp->rq_clntcred)->aup_uid;
690 	}
691 
692 	memset(&argument, 0, sizeof (argument));
693 	if (!svc_getargs(transp, xdr_argument, &argument)) {
694 		svcerr_decode(transp);
695 		return;
696 	}
697 	result = (*local) (uid, &argument);
698 	if (!svc_sendreply(transp, xdr_result, result)) {
699 		if (debugging)
700 			fprintf(stderr, "unable to reply\n");
701 		svcerr_systemerr(transp);
702 	}
703 	if (!svc_freeargs(transp, xdr_argument, &argument)) {
704 		if (debugging)
705 			fprintf(stderr, "unable to free arguments\n");
706 		exit(1);
707 	}
708 	return;
709 }
710 
711 static int
712 root_auth(SVCXPRT *trans, struct svc_req *rqstp)
713 {
714 	uid_t uid;
715 	struct sockaddr *remote;
716 
717 	remote = svc_getrpccaller(trans)->buf;
718 	if (remote->sa_family != AF_UNIX) {
719 		if (debugging)
720 			fprintf(stderr, "client didn't use AF_UNIX\n");
721 		return (0);
722 	}
723 
724 	if (__rpc_get_local_uid(trans, &uid) < 0) {
725 		if (debugging)
726 			fprintf(stderr, "__rpc_get_local_uid failed\n");
727 		return (0);
728 	}
729 
730 	if (debugging)
731 		fprintf(stderr, "local_uid  %ld\n", uid);
732 	if (uid == 0)
733 		return (1);
734 	if (rqstp->rq_cred.oa_flavor == AUTH_SYS) {
735 		if (((uid_t) ((struct authunix_parms *)
736 			rqstp->rq_clntcred)->aup_uid)
737 			== uid) {
738 			return (1);
739 		} else {
740 			if (debugging)
741 				fprintf(stderr,
742 			"local_uid  %ld mismatches auth %ld\n", uid,
743 ((uid_t) ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid));
744 			return (0);
745 		}
746 	} else {
747 		if (debugging)
748 			fprintf(stderr, "Not auth sys\n");
749 		return (0);
750 	}
751 }
752 
753 static void
754 usage(void)
755 {
756 	fprintf(stderr, "usage: keyserv [-n] [-D] [-d] [-v] [-p path]\n");
757 	fprintf(stderr, "-d disables the use of default keys\n");
758 	exit(1);
759 }
760