keyserv.c revision 110665 
1/*
2 * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
3 * unrestricted use provided that this legend is included on all tape
4 * media and as a part of the software program in whole or part.  Users
5 * may copy or modify Sun RPC without charge, but are not authorized
6 * to license or distribute it to anyone else except as part of a product or
7 * program developed by the user.
8 *
9 * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
10 * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
11 * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
12 *
13 * Sun RPC is provided with no support and without any obligation on the
14 * part of Sun Microsystems, Inc. to assist in its use, correction,
15 * modification or enhancement.
16 *
17 * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
18 * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
19 * OR ANY PART THEREOF.
20 *
21 * In no event will Sun Microsystems, Inc. be liable for any lost revenue
22 * or profits or other special, indirect and consequential damages, even if
23 * Sun has been advised of the possibility of such damages.
24 *
25 * Sun Microsystems, Inc.
26 * 2550 Garcia Avenue
27 * Mountain View, California  94043
28 */
29
30#ifndef lint
31#if 0
32static char sccsid[] = "@(#)keyserv.c	1.15	94/04/25 SMI";
33#endif
34static const char rcsid[] =
35  "$FreeBSD: head/usr.sbin/keyserv/keyserv.c 110665 2003-02-11 01:56:40Z ache $";
36#endif /* not lint */
37
38/*
39 * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc.
40 */
41
42/*
43 * Keyserver
44 * Store secret keys per uid. Do public key encryption and decryption
45 * operations. Generate "random" keys.
46 * Do not talk to anything but a local root
47 * process on the local transport only
48 */
49
50#include <err.h>
51#include <pwd.h>
52#include <stdio.h>
53#include <stdlib.h>
54#include <string.h>
55#include <unistd.h>
56#include <sys/stat.h>
57#include <sys/types.h>
58#include <rpc/rpc.h>
59#include <sys/param.h>
60#include <sys/file.h>
61#include <rpc/des_crypt.h>
62#include <rpc/des.h>
63#include <rpc/key_prot.h>
64#include <rpcsvc/crypt.h>
65#include "keyserv.h"
66
67#ifndef NGROUPS
68#define	NGROUPS 16
69#endif
70
71#ifndef KEYSERVSOCK
72#define KEYSERVSOCK "/var/run/keyservsock"
73#endif
74
75static void randomize __P(( des_block * ));
76static void usage __P(( void ));
77static int getrootkey __P(( des_block *, int ));
78static int root_auth __P(( SVCXPRT *, struct svc_req * ));
79
80#ifdef DEBUG
81static int debugging = 1;
82#else
83static int debugging = 0;
84#endif
85
86static void keyprogram();
87static des_block masterkey;
88char *getenv();
89static char ROOTKEY[] = "/etc/.rootkey";
90
91/*
92 * Hack to allow the keyserver to use AUTH_DES (for authenticated
93 * NIS+ calls, for example).  The only functions that get called
94 * are key_encryptsession_pk, key_decryptsession_pk, and key_gendes.
95 *
96 * The approach is to have the keyserver fill in pointers to local
97 * implementations of these functions, and to call those in key_call().
98 */
99
100extern cryptkeyres *(*__key_encryptsession_pk_LOCAL)();
101extern cryptkeyres *(*__key_decryptsession_pk_LOCAL)();
102extern des_block *(*__key_gendes_LOCAL)();
103extern int (*__des_crypt_LOCAL)();
104
105cryptkeyres *key_encrypt_pk_2_svc_prog __P(( uid_t, cryptkeyarg2 * ));
106cryptkeyres *key_decrypt_pk_2_svc_prog __P(( uid_t, cryptkeyarg2 * ));
107des_block *key_gen_1_svc_prog __P(( void *, struct svc_req * ));
108
109int
110main(argc, argv)
111	int argc;
112	char *argv[];
113{
114	int nflag = 0;
115	int c;
116	int warn = 0;
117	char *path = NULL;
118	void *localhandle;
119	register SVCXPRT *transp;
120	struct netconfig *nconf = NULL;
121
122	__key_encryptsession_pk_LOCAL = &key_encrypt_pk_2_svc_prog;
123	__key_decryptsession_pk_LOCAL = &key_decrypt_pk_2_svc_prog;
124	__key_gendes_LOCAL = &key_gen_1_svc_prog;
125
126	while ((c = getopt(argc, argv, "ndDvp:")) != -1)
127		switch (c) {
128		case 'n':
129			nflag++;
130			break;
131		case 'd':
132			pk_nodefaultkeys();
133			break;
134		case 'D':
135			debugging = 1;
136			break;
137		case 'v':
138			warn = 1;
139			break;
140		case 'p':
141			path = optarg;
142			break;
143		default:
144			usage();
145		}
146
147	load_des(warn, path);
148	__des_crypt_LOCAL = _my_crypt;
149	if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1)
150		errx(1, "failed to register AUTH_DES authenticator");
151
152	if (optind != argc) {
153		usage();
154	}
155
156	/*
157	 * Initialize
158	 */
159	(void) umask(S_IXUSR|S_IXGRP|S_IXOTH);
160	if (geteuid() != 0)
161		errx(1, "keyserv must be run as root");
162	setmodulus(HEXMODULUS);
163	getrootkey(&masterkey, nflag);
164
165	rpcb_unset(KEY_PROG, KEY_VERS, NULL);
166	rpcb_unset(KEY_PROG, KEY_VERS2, NULL);
167
168	if (svc_create(keyprogram, KEY_PROG, KEY_VERS,
169		"netpath") == 0) {
170		(void) fprintf(stderr,
171			"%s: unable to create service\n", argv[0]);
172		exit(1);
173	}
174
175	if (svc_create(keyprogram, KEY_PROG, KEY_VERS2,
176	"netpath") == 0) {
177		(void) fprintf(stderr,
178			"%s: unable to create service\n", argv[0]);
179		exit(1);
180	}
181
182	localhandle = setnetconfig();
183	while ((nconf = getnetconfig(localhandle)) != NULL) {
184		if (nconf->nc_protofmly != NULL &&
185		    strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0)
186			break;
187	}
188
189	if (nconf == NULL)
190		errx(1, "getnetconfig: %s", nc_sperror());
191
192	unlink(KEYSERVSOCK);
193	rpcb_unset(CRYPT_PROG, CRYPT_VERS, nconf);
194	transp = svcunix_create(RPC_ANYSOCK, 0, 0, KEYSERVSOCK);
195	if (transp == NULL)
196		errx(1, "cannot create AF_LOCAL service");
197	if (!svc_reg(transp, KEY_PROG, KEY_VERS, keyprogram, nconf))
198		errx(1, "unable to register (KEY_PROG, KEY_VERS, unix)");
199	if (!svc_reg(transp, KEY_PROG, KEY_VERS2, keyprogram, nconf))
200		errx(1, "unable to register (KEY_PROG, KEY_VERS2, unix)");
201	if (!svc_reg(transp, CRYPT_PROG, CRYPT_VERS, crypt_prog_1, nconf))
202		errx(1, "unable to register (CRYPT_PROG, CRYPT_VERS, unix)");
203
204	endnetconfig(localhandle);
205
206	(void) umask(066);	/* paranoia */
207
208	if (!debugging) {
209		daemon(0,0);
210	}
211
212	signal(SIGPIPE, SIG_IGN);
213
214	svc_run();
215	abort();
216	/* NOTREACHED */
217}
218
219/*
220 * In the event that we don't get a root password, we try to
221 * randomize the master key the best we can
222 */
223static void
224randomize(master)
225	des_block *master;
226{
227#ifndef __FreeBSD__
228	int i;
229	int seed;
230	struct timeval tv;
231	int shift;
232
233	seed = 0;
234	for (i = 0; i < 1024; i++) {
235		(void) gettimeofday(&tv, (struct timezone *) NULL);
236		shift = i % 8 * sizeof (int);
237		seed ^= (tv.tv_usec << shift) | (tv.tv_usec >> (32 - shift));
238	}
239#endif
240#ifdef KEYSERV_RANDOM
241#ifdef __FreeBSD__
242	srandomdev();
243#else
244	srandom(seed);
245#endif
246	master->key.low = random();
247	master->key.high = random();
248#else
249	/* use stupid dangerous bad rand() */
250#ifdef __FreeBSD__
251	sranddev();
252#else
253	srand(seed);
254#endif
255	master->key.low = rand();
256	master->key.high = rand();
257#endif
258}
259
260/*
261 * Try to get root's secret key, by prompting if terminal is a tty, else trying
262 * from standard input.
263 * Returns 1 on success.
264 */
265static int
266getrootkey(master, prompt)
267	des_block *master;
268	int prompt;
269{
270	char *passwd;
271	char name[MAXNETNAMELEN + 1];
272	char secret[HEXKEYBYTES];
273	key_netstarg netstore;
274	int fd;
275
276	if (!prompt) {
277		/*
278		 * Read secret key out of ROOTKEY
279		 */
280		fd = open(ROOTKEY, O_RDONLY, 0);
281		if (fd < 0) {
282			randomize(master);
283			return (0);
284		}
285		if (read(fd, secret, HEXKEYBYTES) < HEXKEYBYTES) {
286			warnx("the key read from %s was too short", ROOTKEY);
287			(void) close(fd);
288			return (0);
289		}
290		(void) close(fd);
291		if (!getnetname(name)) {
292		    warnx(
293	"failed to generate host's netname when establishing root's key");
294		    return (0);
295		}
296		memcpy(netstore.st_priv_key, secret, HEXKEYBYTES);
297		memset(netstore.st_pub_key, 0, HEXKEYBYTES);
298		netstore.st_netname = name;
299		if (pk_netput(0, &netstore) != KEY_SUCCESS) {
300		    warnx("could not set root's key and netname");
301		    return (0);
302		}
303		return (1);
304	}
305	/*
306	 * Decrypt yellow pages publickey entry to get secret key
307	 */
308	passwd = getpass("root password:");
309	passwd2des(passwd, (char *)master);
310	getnetname(name);
311	if (!getsecretkey(name, secret, passwd)) {
312		warnx("can't find %s's secret key", name);
313		return (0);
314	}
315	if (secret[0] == 0) {
316		warnx("password does not decrypt secret key for %s", name);
317		return (0);
318	}
319	(void) pk_setkey(0, secret);
320	/*
321	 * Store it for future use in $ROOTKEY, if possible
322	 */
323	fd = open(ROOTKEY, O_WRONLY|O_TRUNC|O_CREAT, 0);
324	if (fd > 0) {
325		char newline = '\n';
326
327		write(fd, secret, strlen(secret));
328		write(fd, &newline, sizeof (newline));
329		close(fd);
330	}
331	return (1);
332}
333
334/*
335 * Procedures to implement RPC service
336 */
337char *
338strstatus(status)
339	keystatus status;
340{
341	switch (status) {
342	case KEY_SUCCESS:
343		return ("KEY_SUCCESS");
344	case KEY_NOSECRET:
345		return ("KEY_NOSECRET");
346	case KEY_UNKNOWN:
347		return ("KEY_UNKNOWN");
348	case KEY_SYSTEMERR:
349		return ("KEY_SYSTEMERR");
350	default:
351		return ("(bad result code)");
352	}
353}
354
355keystatus *
356key_set_1_svc_prog(uid, key)
357	uid_t uid;
358	keybuf key;
359{
360	static keystatus status;
361
362	if (debugging) {
363		(void) fprintf(stderr, "set(%ld, %.*s) = ", uid,
364				(int) sizeof (keybuf), key);
365	}
366	status = pk_setkey(uid, key);
367	if (debugging) {
368		(void) fprintf(stderr, "%s\n", strstatus(status));
369		(void) fflush(stderr);
370	}
371	return (&status);
372}
373
374cryptkeyres *
375key_encrypt_pk_2_svc_prog(uid, arg)
376	uid_t uid;
377	cryptkeyarg2 *arg;
378{
379	static cryptkeyres res;
380
381	if (debugging) {
382		(void) fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid,
383				arg->remotename, arg->deskey.key.high,
384				arg->deskey.key.low);
385	}
386	res.cryptkeyres_u.deskey = arg->deskey;
387	res.status = pk_encrypt(uid, arg->remotename, &(arg->remotekey),
388				&res.cryptkeyres_u.deskey);
389	if (debugging) {
390		if (res.status == KEY_SUCCESS) {
391			(void) fprintf(stderr, "%08x%08x\n",
392					res.cryptkeyres_u.deskey.key.high,
393					res.cryptkeyres_u.deskey.key.low);
394		} else {
395			(void) fprintf(stderr, "%s\n", strstatus(res.status));
396		}
397		(void) fflush(stderr);
398	}
399	return (&res);
400}
401
402cryptkeyres *
403key_decrypt_pk_2_svc_prog(uid, arg)
404	uid_t uid;
405	cryptkeyarg2 *arg;
406{
407	static cryptkeyres res;
408
409	if (debugging) {
410		(void) fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid,
411				arg->remotename, arg->deskey.key.high,
412				arg->deskey.key.low);
413	}
414	res.cryptkeyres_u.deskey = arg->deskey;
415	res.status = pk_decrypt(uid, arg->remotename, &(arg->remotekey),
416				&res.cryptkeyres_u.deskey);
417	if (debugging) {
418		if (res.status == KEY_SUCCESS) {
419			(void) fprintf(stderr, "%08x%08x\n",
420					res.cryptkeyres_u.deskey.key.high,
421					res.cryptkeyres_u.deskey.key.low);
422		} else {
423			(void) fprintf(stderr, "%s\n", strstatus(res.status));
424		}
425		(void) fflush(stderr);
426	}
427	return (&res);
428}
429
430keystatus *
431key_net_put_2_svc_prog(uid, arg)
432	uid_t uid;
433	key_netstarg *arg;
434{
435	static keystatus status;
436
437	if (debugging) {
438		(void) fprintf(stderr, "net_put(%s, %.*s, %.*s) = ",
439			arg->st_netname, (int)sizeof (arg->st_pub_key),
440			arg->st_pub_key, (int)sizeof (arg->st_priv_key),
441			arg->st_priv_key);
442	};
443
444	status = pk_netput(uid, arg);
445
446	if (debugging) {
447		(void) fprintf(stderr, "%s\n", strstatus(status));
448		(void) fflush(stderr);
449	}
450
451	return (&status);
452}
453
454key_netstres *
455key_net_get_2_svc_prog(uid, arg)
456	uid_t uid;
457	void *arg;
458{
459	static key_netstres keynetname;
460
461	if (debugging)
462		(void) fprintf(stderr, "net_get(%ld) = ", uid);
463
464	keynetname.status = pk_netget(uid, &keynetname.key_netstres_u.knet);
465	if (debugging) {
466		if (keynetname.status == KEY_SUCCESS) {
467			fprintf(stderr, "<%s, %.*s, %.*s>\n",
468			keynetname.key_netstres_u.knet.st_netname,
469			(int)sizeof (keynetname.key_netstres_u.knet.st_pub_key),
470			keynetname.key_netstres_u.knet.st_pub_key,
471			(int)sizeof (keynetname.key_netstres_u.knet.st_priv_key),
472			keynetname.key_netstres_u.knet.st_priv_key);
473		} else {
474			(void) fprintf(stderr, "NOT FOUND\n");
475		}
476		(void) fflush(stderr);
477	}
478
479	return (&keynetname);
480
481}
482
483cryptkeyres *
484key_get_conv_2_svc_prog(uid, arg)
485	uid_t uid;
486	keybuf arg;
487{
488	static cryptkeyres  res;
489
490	if (debugging)
491		(void) fprintf(stderr, "get_conv(%ld, %.*s) = ", uid,
492			(int)sizeof (arg), arg);
493
494
495	res.status = pk_get_conv_key(uid, arg, &res);
496
497	if (debugging) {
498		if (res.status == KEY_SUCCESS) {
499			(void) fprintf(stderr, "%08x%08x\n",
500				res.cryptkeyres_u.deskey.key.high,
501				res.cryptkeyres_u.deskey.key.low);
502		} else {
503			(void) fprintf(stderr, "%s\n", strstatus(res.status));
504		}
505		(void) fflush(stderr);
506	}
507	return (&res);
508}
509
510
511cryptkeyres *
512key_encrypt_1_svc_prog(uid, arg)
513	uid_t uid;
514	cryptkeyarg *arg;
515{
516	static cryptkeyres res;
517
518	if (debugging) {
519		(void) fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid,
520				arg->remotename, arg->deskey.key.high,
521				arg->deskey.key.low);
522	}
523	res.cryptkeyres_u.deskey = arg->deskey;
524	res.status = pk_encrypt(uid, arg->remotename, NULL,
525				&res.cryptkeyres_u.deskey);
526	if (debugging) {
527		if (res.status == KEY_SUCCESS) {
528			(void) fprintf(stderr, "%08x%08x\n",
529					res.cryptkeyres_u.deskey.key.high,
530					res.cryptkeyres_u.deskey.key.low);
531		} else {
532			(void) fprintf(stderr, "%s\n", strstatus(res.status));
533		}
534		(void) fflush(stderr);
535	}
536	return (&res);
537}
538
539cryptkeyres *
540key_decrypt_1_svc_prog(uid, arg)
541	uid_t uid;
542	cryptkeyarg *arg;
543{
544	static cryptkeyres res;
545
546	if (debugging) {
547		(void) fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid,
548				arg->remotename, arg->deskey.key.high,
549				arg->deskey.key.low);
550	}
551	res.cryptkeyres_u.deskey = arg->deskey;
552	res.status = pk_decrypt(uid, arg->remotename, NULL,
553				&res.cryptkeyres_u.deskey);
554	if (debugging) {
555		if (res.status == KEY_SUCCESS) {
556			(void) fprintf(stderr, "%08x%08x\n",
557					res.cryptkeyres_u.deskey.key.high,
558					res.cryptkeyres_u.deskey.key.low);
559		} else {
560			(void) fprintf(stderr, "%s\n", strstatus(res.status));
561		}
562		(void) fflush(stderr);
563	}
564	return (&res);
565}
566
567/* ARGSUSED */
568des_block *
569key_gen_1_svc_prog(v, s)
570	void	*v;
571	struct svc_req	*s;
572{
573	struct timeval time;
574	static des_block keygen;
575	static des_block key;
576
577	(void) gettimeofday(&time, (struct timezone *) NULL);
578	keygen.key.high += (time.tv_sec ^ time.tv_usec);
579	keygen.key.low += (time.tv_sec ^ time.tv_usec);
580	ecb_crypt((char *)&masterkey, (char *)&keygen, sizeof (keygen),
581		DES_ENCRYPT | DES_HW);
582	key = keygen;
583	des_setparity((char *)&key);
584	if (debugging) {
585		(void) fprintf(stderr, "gen() = %08x%08x\n", key.key.high,
586					key.key.low);
587		(void) fflush(stderr);
588	}
589	return (&key);
590}
591
592getcredres *
593key_getcred_1_svc_prog(uid, name)
594	uid_t uid;
595	netnamestr *name;
596{
597	static getcredres res;
598	static u_int gids[NGROUPS];
599	struct unixcred *cred;
600
601	cred = &res.getcredres_u.cred;
602	cred->gids.gids_val = gids;
603	if (!netname2user(*name, (uid_t *) &cred->uid, (gid_t *) &cred->gid,
604			(int *)&cred->gids.gids_len, (gid_t *)gids)) {
605		res.status = KEY_UNKNOWN;
606	} else {
607		res.status = KEY_SUCCESS;
608	}
609	if (debugging) {
610		(void) fprintf(stderr, "getcred(%s) = ", *name);
611		if (res.status == KEY_SUCCESS) {
612			(void) fprintf(stderr, "uid=%d, gid=%d, grouplen=%d\n",
613				cred->uid, cred->gid, cred->gids.gids_len);
614		} else {
615			(void) fprintf(stderr, "%s\n", strstatus(res.status));
616		}
617		(void) fflush(stderr);
618	}
619	return (&res);
620}
621
622/*
623 * RPC boilerplate
624 */
625static void
626keyprogram(rqstp, transp)
627	struct svc_req *rqstp;
628	SVCXPRT *transp;
629{
630	union {
631		keybuf key_set_1_arg;
632		cryptkeyarg key_encrypt_1_arg;
633		cryptkeyarg key_decrypt_1_arg;
634		netnamestr key_getcred_1_arg;
635		cryptkeyarg key_encrypt_2_arg;
636		cryptkeyarg key_decrypt_2_arg;
637		netnamestr key_getcred_2_arg;
638		cryptkeyarg2 key_encrypt_pk_2_arg;
639		cryptkeyarg2 key_decrypt_pk_2_arg;
640		key_netstarg key_net_put_2_arg;
641		netobj  key_get_conv_2_arg;
642	} argument;
643	char *result;
644	xdrproc_t xdr_argument, xdr_result;
645	char *(*local) ();
646	uid_t uid = -1;
647	int check_auth;
648
649	switch (rqstp->rq_proc) {
650	case NULLPROC:
651		svc_sendreply(transp, (xdrproc_t)xdr_void, NULL);
652		return;
653
654	case KEY_SET:
655		xdr_argument = (xdrproc_t)xdr_keybuf;
656		xdr_result = (xdrproc_t)xdr_int;
657		local = (char *(*)()) key_set_1_svc_prog;
658		check_auth = 1;
659		break;
660
661	case KEY_ENCRYPT:
662		xdr_argument = (xdrproc_t)xdr_cryptkeyarg;
663		xdr_result = (xdrproc_t)xdr_cryptkeyres;
664		local = (char *(*)()) key_encrypt_1_svc_prog;
665		check_auth = 1;
666		break;
667
668	case KEY_DECRYPT:
669		xdr_argument = (xdrproc_t)xdr_cryptkeyarg;
670		xdr_result = (xdrproc_t)xdr_cryptkeyres;
671		local = (char *(*)()) key_decrypt_1_svc_prog;
672		check_auth = 1;
673		break;
674
675	case KEY_GEN:
676		xdr_argument = (xdrproc_t)xdr_void;
677		xdr_result = (xdrproc_t)xdr_des_block;
678		local = (char *(*)()) key_gen_1_svc_prog;
679		check_auth = 0;
680		break;
681
682	case KEY_GETCRED:
683		xdr_argument = (xdrproc_t)xdr_netnamestr;
684		xdr_result = (xdrproc_t)xdr_getcredres;
685		local = (char *(*)()) key_getcred_1_svc_prog;
686		check_auth = 0;
687		break;
688
689	case KEY_ENCRYPT_PK:
690		xdr_argument = (xdrproc_t)xdr_cryptkeyarg2;
691		xdr_result = (xdrproc_t)xdr_cryptkeyres;
692		local = (char *(*)()) key_encrypt_pk_2_svc_prog;
693		check_auth = 1;
694		break;
695
696	case KEY_DECRYPT_PK:
697		xdr_argument = (xdrproc_t)xdr_cryptkeyarg2;
698		xdr_result = (xdrproc_t)xdr_cryptkeyres;
699		local = (char *(*)()) key_decrypt_pk_2_svc_prog;
700		check_auth = 1;
701		break;
702
703
704	case KEY_NET_PUT:
705		xdr_argument = (xdrproc_t)xdr_key_netstarg;
706		xdr_result = (xdrproc_t)xdr_keystatus;
707		local = (char *(*)()) key_net_put_2_svc_prog;
708		check_auth = 1;
709		break;
710
711	case KEY_NET_GET:
712		xdr_argument = (xdrproc_t) xdr_void;
713		xdr_result = (xdrproc_t)xdr_key_netstres;
714		local = (char *(*)()) key_net_get_2_svc_prog;
715		check_auth = 1;
716		break;
717
718	case KEY_GET_CONV:
719		xdr_argument = (xdrproc_t) xdr_keybuf;
720		xdr_result = (xdrproc_t)xdr_cryptkeyres;
721		local = (char *(*)()) key_get_conv_2_svc_prog;
722		check_auth = 1;
723		break;
724
725	default:
726		svcerr_noproc(transp);
727		return;
728	}
729	if (check_auth) {
730		if (root_auth(transp, rqstp) == 0) {
731			if (debugging) {
732				(void) fprintf(stderr,
733				"not local privileged process\n");
734			}
735			svcerr_weakauth(transp);
736			return;
737		}
738		if (rqstp->rq_cred.oa_flavor != AUTH_SYS) {
739			if (debugging) {
740				(void) fprintf(stderr,
741				"not unix authentication\n");
742			}
743			svcerr_weakauth(transp);
744			return;
745		}
746		uid = ((struct authsys_parms *)rqstp->rq_clntcred)->aup_uid;
747	}
748
749	memset(&argument, 0, sizeof (argument));
750	if (!svc_getargs(transp, xdr_argument, &argument)) {
751		svcerr_decode(transp);
752		return;
753	}
754	result = (*local) (uid, &argument);
755	if (!svc_sendreply(transp, xdr_result, result)) {
756		if (debugging)
757			(void) fprintf(stderr, "unable to reply\n");
758		svcerr_systemerr(transp);
759	}
760	if (!svc_freeargs(transp, xdr_argument, &argument)) {
761		if (debugging)
762			(void) fprintf(stderr,
763			"unable to free arguments\n");
764		exit(1);
765	}
766	return;
767}
768
769static int
770root_auth(trans, rqstp)
771	SVCXPRT *trans;
772	struct svc_req *rqstp;
773{
774	uid_t uid;
775	struct sockaddr *remote;
776
777	remote = svc_getrpccaller(trans)->buf;
778	if (remote->sa_family != AF_UNIX) {
779		if (debugging)
780			fprintf(stderr, "client didn't use AF_UNIX\n");
781		return (0);
782	}
783
784	if (__rpc_get_local_uid(trans, &uid) < 0) {
785		if (debugging)
786			fprintf(stderr, "__rpc_get_local_uid failed\n");
787		return (0);
788	}
789
790	if (debugging)
791		fprintf(stderr, "local_uid  %ld\n", uid);
792	if (uid == 0)
793		return (1);
794	if (rqstp->rq_cred.oa_flavor == AUTH_SYS) {
795		if (((uid_t) ((struct authunix_parms *)
796			rqstp->rq_clntcred)->aup_uid)
797			== uid) {
798			return (1);
799		} else {
800			if (debugging)
801				fprintf(stderr,
802			"local_uid  %ld mismatches auth %ld\n", uid,
803((uid_t) ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid));
804			return (0);
805		}
806	} else {
807		if (debugging)
808			fprintf(stderr, "Not auth sys\n");
809		return (0);
810	}
811}
812
813static void
814usage()
815{
816	(void) fprintf(stderr,
817			"usage: keyserv [-n] [-D] [-d] [-v] [-p path]\n");
818	(void) fprintf(stderr, "-d disables the use of default keys\n");
819	exit(1);
820}
821