keyserv.c revision 110665
1/* 2 * Sun RPC is a product of Sun Microsystems, Inc. and is provided for 3 * unrestricted use provided that this legend is included on all tape 4 * media and as a part of the software program in whole or part. Users 5 * may copy or modify Sun RPC without charge, but are not authorized 6 * to license or distribute it to anyone else except as part of a product or 7 * program developed by the user. 8 * 9 * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE 10 * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR 11 * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. 12 * 13 * Sun RPC is provided with no support and without any obligation on the 14 * part of Sun Microsystems, Inc. to assist in its use, correction, 15 * modification or enhancement. 16 * 17 * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE 18 * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC 19 * OR ANY PART THEREOF. 20 * 21 * In no event will Sun Microsystems, Inc. be liable for any lost revenue 22 * or profits or other special, indirect and consequential damages, even if 23 * Sun has been advised of the possibility of such damages. 24 * 25 * Sun Microsystems, Inc. 26 * 2550 Garcia Avenue 27 * Mountain View, California 94043 28 */ 29 30#ifndef lint 31#if 0 32static char sccsid[] = "@(#)keyserv.c 1.15 94/04/25 SMI"; 33#endif 34static const char rcsid[] = 35 "$FreeBSD: head/usr.sbin/keyserv/keyserv.c 110665 2003-02-11 01:56:40Z ache $"; 36#endif /* not lint */ 37 38/* 39 * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc. 40 */ 41 42/* 43 * Keyserver 44 * Store secret keys per uid. Do public key encryption and decryption 45 * operations. Generate "random" keys. 46 * Do not talk to anything but a local root 47 * process on the local transport only 48 */ 49 50#include <err.h> 51#include <pwd.h> 52#include <stdio.h> 53#include <stdlib.h> 54#include <string.h> 55#include <unistd.h> 56#include <sys/stat.h> 57#include <sys/types.h> 58#include <rpc/rpc.h> 59#include <sys/param.h> 60#include <sys/file.h> 61#include <rpc/des_crypt.h> 62#include <rpc/des.h> 63#include <rpc/key_prot.h> 64#include <rpcsvc/crypt.h> 65#include "keyserv.h" 66 67#ifndef NGROUPS 68#define NGROUPS 16 69#endif 70 71#ifndef KEYSERVSOCK 72#define KEYSERVSOCK "/var/run/keyservsock" 73#endif 74 75static void randomize __P(( des_block * )); 76static void usage __P(( void )); 77static int getrootkey __P(( des_block *, int )); 78static int root_auth __P(( SVCXPRT *, struct svc_req * )); 79 80#ifdef DEBUG 81static int debugging = 1; 82#else 83static int debugging = 0; 84#endif 85 86static void keyprogram(); 87static des_block masterkey; 88char *getenv(); 89static char ROOTKEY[] = "/etc/.rootkey"; 90 91/* 92 * Hack to allow the keyserver to use AUTH_DES (for authenticated 93 * NIS+ calls, for example). The only functions that get called 94 * are key_encryptsession_pk, key_decryptsession_pk, and key_gendes. 95 * 96 * The approach is to have the keyserver fill in pointers to local 97 * implementations of these functions, and to call those in key_call(). 98 */ 99 100extern cryptkeyres *(*__key_encryptsession_pk_LOCAL)(); 101extern cryptkeyres *(*__key_decryptsession_pk_LOCAL)(); 102extern des_block *(*__key_gendes_LOCAL)(); 103extern int (*__des_crypt_LOCAL)(); 104 105cryptkeyres *key_encrypt_pk_2_svc_prog __P(( uid_t, cryptkeyarg2 * )); 106cryptkeyres *key_decrypt_pk_2_svc_prog __P(( uid_t, cryptkeyarg2 * )); 107des_block *key_gen_1_svc_prog __P(( void *, struct svc_req * )); 108 109int 110main(argc, argv) 111 int argc; 112 char *argv[]; 113{ 114 int nflag = 0; 115 int c; 116 int warn = 0; 117 char *path = NULL; 118 void *localhandle; 119 register SVCXPRT *transp; 120 struct netconfig *nconf = NULL; 121 122 __key_encryptsession_pk_LOCAL = &key_encrypt_pk_2_svc_prog; 123 __key_decryptsession_pk_LOCAL = &key_decrypt_pk_2_svc_prog; 124 __key_gendes_LOCAL = &key_gen_1_svc_prog; 125 126 while ((c = getopt(argc, argv, "ndDvp:")) != -1) 127 switch (c) { 128 case 'n': 129 nflag++; 130 break; 131 case 'd': 132 pk_nodefaultkeys(); 133 break; 134 case 'D': 135 debugging = 1; 136 break; 137 case 'v': 138 warn = 1; 139 break; 140 case 'p': 141 path = optarg; 142 break; 143 default: 144 usage(); 145 } 146 147 load_des(warn, path); 148 __des_crypt_LOCAL = _my_crypt; 149 if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1) 150 errx(1, "failed to register AUTH_DES authenticator"); 151 152 if (optind != argc) { 153 usage(); 154 } 155 156 /* 157 * Initialize 158 */ 159 (void) umask(S_IXUSR|S_IXGRP|S_IXOTH); 160 if (geteuid() != 0) 161 errx(1, "keyserv must be run as root"); 162 setmodulus(HEXMODULUS); 163 getrootkey(&masterkey, nflag); 164 165 rpcb_unset(KEY_PROG, KEY_VERS, NULL); 166 rpcb_unset(KEY_PROG, KEY_VERS2, NULL); 167 168 if (svc_create(keyprogram, KEY_PROG, KEY_VERS, 169 "netpath") == 0) { 170 (void) fprintf(stderr, 171 "%s: unable to create service\n", argv[0]); 172 exit(1); 173 } 174 175 if (svc_create(keyprogram, KEY_PROG, KEY_VERS2, 176 "netpath") == 0) { 177 (void) fprintf(stderr, 178 "%s: unable to create service\n", argv[0]); 179 exit(1); 180 } 181 182 localhandle = setnetconfig(); 183 while ((nconf = getnetconfig(localhandle)) != NULL) { 184 if (nconf->nc_protofmly != NULL && 185 strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0) 186 break; 187 } 188 189 if (nconf == NULL) 190 errx(1, "getnetconfig: %s", nc_sperror()); 191 192 unlink(KEYSERVSOCK); 193 rpcb_unset(CRYPT_PROG, CRYPT_VERS, nconf); 194 transp = svcunix_create(RPC_ANYSOCK, 0, 0, KEYSERVSOCK); 195 if (transp == NULL) 196 errx(1, "cannot create AF_LOCAL service"); 197 if (!svc_reg(transp, KEY_PROG, KEY_VERS, keyprogram, nconf)) 198 errx(1, "unable to register (KEY_PROG, KEY_VERS, unix)"); 199 if (!svc_reg(transp, KEY_PROG, KEY_VERS2, keyprogram, nconf)) 200 errx(1, "unable to register (KEY_PROG, KEY_VERS2, unix)"); 201 if (!svc_reg(transp, CRYPT_PROG, CRYPT_VERS, crypt_prog_1, nconf)) 202 errx(1, "unable to register (CRYPT_PROG, CRYPT_VERS, unix)"); 203 204 endnetconfig(localhandle); 205 206 (void) umask(066); /* paranoia */ 207 208 if (!debugging) { 209 daemon(0,0); 210 } 211 212 signal(SIGPIPE, SIG_IGN); 213 214 svc_run(); 215 abort(); 216 /* NOTREACHED */ 217} 218 219/* 220 * In the event that we don't get a root password, we try to 221 * randomize the master key the best we can 222 */ 223static void 224randomize(master) 225 des_block *master; 226{ 227#ifndef __FreeBSD__ 228 int i; 229 int seed; 230 struct timeval tv; 231 int shift; 232 233 seed = 0; 234 for (i = 0; i < 1024; i++) { 235 (void) gettimeofday(&tv, (struct timezone *) NULL); 236 shift = i % 8 * sizeof (int); 237 seed ^= (tv.tv_usec << shift) | (tv.tv_usec >> (32 - shift)); 238 } 239#endif 240#ifdef KEYSERV_RANDOM 241#ifdef __FreeBSD__ 242 srandomdev(); 243#else 244 srandom(seed); 245#endif 246 master->key.low = random(); 247 master->key.high = random(); 248#else 249 /* use stupid dangerous bad rand() */ 250#ifdef __FreeBSD__ 251 sranddev(); 252#else 253 srand(seed); 254#endif 255 master->key.low = rand(); 256 master->key.high = rand(); 257#endif 258} 259 260/* 261 * Try to get root's secret key, by prompting if terminal is a tty, else trying 262 * from standard input. 263 * Returns 1 on success. 264 */ 265static int 266getrootkey(master, prompt) 267 des_block *master; 268 int prompt; 269{ 270 char *passwd; 271 char name[MAXNETNAMELEN + 1]; 272 char secret[HEXKEYBYTES]; 273 key_netstarg netstore; 274 int fd; 275 276 if (!prompt) { 277 /* 278 * Read secret key out of ROOTKEY 279 */ 280 fd = open(ROOTKEY, O_RDONLY, 0); 281 if (fd < 0) { 282 randomize(master); 283 return (0); 284 } 285 if (read(fd, secret, HEXKEYBYTES) < HEXKEYBYTES) { 286 warnx("the key read from %s was too short", ROOTKEY); 287 (void) close(fd); 288 return (0); 289 } 290 (void) close(fd); 291 if (!getnetname(name)) { 292 warnx( 293 "failed to generate host's netname when establishing root's key"); 294 return (0); 295 } 296 memcpy(netstore.st_priv_key, secret, HEXKEYBYTES); 297 memset(netstore.st_pub_key, 0, HEXKEYBYTES); 298 netstore.st_netname = name; 299 if (pk_netput(0, &netstore) != KEY_SUCCESS) { 300 warnx("could not set root's key and netname"); 301 return (0); 302 } 303 return (1); 304 } 305 /* 306 * Decrypt yellow pages publickey entry to get secret key 307 */ 308 passwd = getpass("root password:"); 309 passwd2des(passwd, (char *)master); 310 getnetname(name); 311 if (!getsecretkey(name, secret, passwd)) { 312 warnx("can't find %s's secret key", name); 313 return (0); 314 } 315 if (secret[0] == 0) { 316 warnx("password does not decrypt secret key for %s", name); 317 return (0); 318 } 319 (void) pk_setkey(0, secret); 320 /* 321 * Store it for future use in $ROOTKEY, if possible 322 */ 323 fd = open(ROOTKEY, O_WRONLY|O_TRUNC|O_CREAT, 0); 324 if (fd > 0) { 325 char newline = '\n'; 326 327 write(fd, secret, strlen(secret)); 328 write(fd, &newline, sizeof (newline)); 329 close(fd); 330 } 331 return (1); 332} 333 334/* 335 * Procedures to implement RPC service 336 */ 337char * 338strstatus(status) 339 keystatus status; 340{ 341 switch (status) { 342 case KEY_SUCCESS: 343 return ("KEY_SUCCESS"); 344 case KEY_NOSECRET: 345 return ("KEY_NOSECRET"); 346 case KEY_UNKNOWN: 347 return ("KEY_UNKNOWN"); 348 case KEY_SYSTEMERR: 349 return ("KEY_SYSTEMERR"); 350 default: 351 return ("(bad result code)"); 352 } 353} 354 355keystatus * 356key_set_1_svc_prog(uid, key) 357 uid_t uid; 358 keybuf key; 359{ 360 static keystatus status; 361 362 if (debugging) { 363 (void) fprintf(stderr, "set(%ld, %.*s) = ", uid, 364 (int) sizeof (keybuf), key); 365 } 366 status = pk_setkey(uid, key); 367 if (debugging) { 368 (void) fprintf(stderr, "%s\n", strstatus(status)); 369 (void) fflush(stderr); 370 } 371 return (&status); 372} 373 374cryptkeyres * 375key_encrypt_pk_2_svc_prog(uid, arg) 376 uid_t uid; 377 cryptkeyarg2 *arg; 378{ 379 static cryptkeyres res; 380 381 if (debugging) { 382 (void) fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid, 383 arg->remotename, arg->deskey.key.high, 384 arg->deskey.key.low); 385 } 386 res.cryptkeyres_u.deskey = arg->deskey; 387 res.status = pk_encrypt(uid, arg->remotename, &(arg->remotekey), 388 &res.cryptkeyres_u.deskey); 389 if (debugging) { 390 if (res.status == KEY_SUCCESS) { 391 (void) fprintf(stderr, "%08x%08x\n", 392 res.cryptkeyres_u.deskey.key.high, 393 res.cryptkeyres_u.deskey.key.low); 394 } else { 395 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 396 } 397 (void) fflush(stderr); 398 } 399 return (&res); 400} 401 402cryptkeyres * 403key_decrypt_pk_2_svc_prog(uid, arg) 404 uid_t uid; 405 cryptkeyarg2 *arg; 406{ 407 static cryptkeyres res; 408 409 if (debugging) { 410 (void) fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid, 411 arg->remotename, arg->deskey.key.high, 412 arg->deskey.key.low); 413 } 414 res.cryptkeyres_u.deskey = arg->deskey; 415 res.status = pk_decrypt(uid, arg->remotename, &(arg->remotekey), 416 &res.cryptkeyres_u.deskey); 417 if (debugging) { 418 if (res.status == KEY_SUCCESS) { 419 (void) fprintf(stderr, "%08x%08x\n", 420 res.cryptkeyres_u.deskey.key.high, 421 res.cryptkeyres_u.deskey.key.low); 422 } else { 423 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 424 } 425 (void) fflush(stderr); 426 } 427 return (&res); 428} 429 430keystatus * 431key_net_put_2_svc_prog(uid, arg) 432 uid_t uid; 433 key_netstarg *arg; 434{ 435 static keystatus status; 436 437 if (debugging) { 438 (void) fprintf(stderr, "net_put(%s, %.*s, %.*s) = ", 439 arg->st_netname, (int)sizeof (arg->st_pub_key), 440 arg->st_pub_key, (int)sizeof (arg->st_priv_key), 441 arg->st_priv_key); 442 }; 443 444 status = pk_netput(uid, arg); 445 446 if (debugging) { 447 (void) fprintf(stderr, "%s\n", strstatus(status)); 448 (void) fflush(stderr); 449 } 450 451 return (&status); 452} 453 454key_netstres * 455key_net_get_2_svc_prog(uid, arg) 456 uid_t uid; 457 void *arg; 458{ 459 static key_netstres keynetname; 460 461 if (debugging) 462 (void) fprintf(stderr, "net_get(%ld) = ", uid); 463 464 keynetname.status = pk_netget(uid, &keynetname.key_netstres_u.knet); 465 if (debugging) { 466 if (keynetname.status == KEY_SUCCESS) { 467 fprintf(stderr, "<%s, %.*s, %.*s>\n", 468 keynetname.key_netstres_u.knet.st_netname, 469 (int)sizeof (keynetname.key_netstres_u.knet.st_pub_key), 470 keynetname.key_netstres_u.knet.st_pub_key, 471 (int)sizeof (keynetname.key_netstres_u.knet.st_priv_key), 472 keynetname.key_netstres_u.knet.st_priv_key); 473 } else { 474 (void) fprintf(stderr, "NOT FOUND\n"); 475 } 476 (void) fflush(stderr); 477 } 478 479 return (&keynetname); 480 481} 482 483cryptkeyres * 484key_get_conv_2_svc_prog(uid, arg) 485 uid_t uid; 486 keybuf arg; 487{ 488 static cryptkeyres res; 489 490 if (debugging) 491 (void) fprintf(stderr, "get_conv(%ld, %.*s) = ", uid, 492 (int)sizeof (arg), arg); 493 494 495 res.status = pk_get_conv_key(uid, arg, &res); 496 497 if (debugging) { 498 if (res.status == KEY_SUCCESS) { 499 (void) fprintf(stderr, "%08x%08x\n", 500 res.cryptkeyres_u.deskey.key.high, 501 res.cryptkeyres_u.deskey.key.low); 502 } else { 503 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 504 } 505 (void) fflush(stderr); 506 } 507 return (&res); 508} 509 510 511cryptkeyres * 512key_encrypt_1_svc_prog(uid, arg) 513 uid_t uid; 514 cryptkeyarg *arg; 515{ 516 static cryptkeyres res; 517 518 if (debugging) { 519 (void) fprintf(stderr, "encrypt(%ld, %s, %08x%08x) = ", uid, 520 arg->remotename, arg->deskey.key.high, 521 arg->deskey.key.low); 522 } 523 res.cryptkeyres_u.deskey = arg->deskey; 524 res.status = pk_encrypt(uid, arg->remotename, NULL, 525 &res.cryptkeyres_u.deskey); 526 if (debugging) { 527 if (res.status == KEY_SUCCESS) { 528 (void) fprintf(stderr, "%08x%08x\n", 529 res.cryptkeyres_u.deskey.key.high, 530 res.cryptkeyres_u.deskey.key.low); 531 } else { 532 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 533 } 534 (void) fflush(stderr); 535 } 536 return (&res); 537} 538 539cryptkeyres * 540key_decrypt_1_svc_prog(uid, arg) 541 uid_t uid; 542 cryptkeyarg *arg; 543{ 544 static cryptkeyres res; 545 546 if (debugging) { 547 (void) fprintf(stderr, "decrypt(%ld, %s, %08x%08x) = ", uid, 548 arg->remotename, arg->deskey.key.high, 549 arg->deskey.key.low); 550 } 551 res.cryptkeyres_u.deskey = arg->deskey; 552 res.status = pk_decrypt(uid, arg->remotename, NULL, 553 &res.cryptkeyres_u.deskey); 554 if (debugging) { 555 if (res.status == KEY_SUCCESS) { 556 (void) fprintf(stderr, "%08x%08x\n", 557 res.cryptkeyres_u.deskey.key.high, 558 res.cryptkeyres_u.deskey.key.low); 559 } else { 560 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 561 } 562 (void) fflush(stderr); 563 } 564 return (&res); 565} 566 567/* ARGSUSED */ 568des_block * 569key_gen_1_svc_prog(v, s) 570 void *v; 571 struct svc_req *s; 572{ 573 struct timeval time; 574 static des_block keygen; 575 static des_block key; 576 577 (void) gettimeofday(&time, (struct timezone *) NULL); 578 keygen.key.high += (time.tv_sec ^ time.tv_usec); 579 keygen.key.low += (time.tv_sec ^ time.tv_usec); 580 ecb_crypt((char *)&masterkey, (char *)&keygen, sizeof (keygen), 581 DES_ENCRYPT | DES_HW); 582 key = keygen; 583 des_setparity((char *)&key); 584 if (debugging) { 585 (void) fprintf(stderr, "gen() = %08x%08x\n", key.key.high, 586 key.key.low); 587 (void) fflush(stderr); 588 } 589 return (&key); 590} 591 592getcredres * 593key_getcred_1_svc_prog(uid, name) 594 uid_t uid; 595 netnamestr *name; 596{ 597 static getcredres res; 598 static u_int gids[NGROUPS]; 599 struct unixcred *cred; 600 601 cred = &res.getcredres_u.cred; 602 cred->gids.gids_val = gids; 603 if (!netname2user(*name, (uid_t *) &cred->uid, (gid_t *) &cred->gid, 604 (int *)&cred->gids.gids_len, (gid_t *)gids)) { 605 res.status = KEY_UNKNOWN; 606 } else { 607 res.status = KEY_SUCCESS; 608 } 609 if (debugging) { 610 (void) fprintf(stderr, "getcred(%s) = ", *name); 611 if (res.status == KEY_SUCCESS) { 612 (void) fprintf(stderr, "uid=%d, gid=%d, grouplen=%d\n", 613 cred->uid, cred->gid, cred->gids.gids_len); 614 } else { 615 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 616 } 617 (void) fflush(stderr); 618 } 619 return (&res); 620} 621 622/* 623 * RPC boilerplate 624 */ 625static void 626keyprogram(rqstp, transp) 627 struct svc_req *rqstp; 628 SVCXPRT *transp; 629{ 630 union { 631 keybuf key_set_1_arg; 632 cryptkeyarg key_encrypt_1_arg; 633 cryptkeyarg key_decrypt_1_arg; 634 netnamestr key_getcred_1_arg; 635 cryptkeyarg key_encrypt_2_arg; 636 cryptkeyarg key_decrypt_2_arg; 637 netnamestr key_getcred_2_arg; 638 cryptkeyarg2 key_encrypt_pk_2_arg; 639 cryptkeyarg2 key_decrypt_pk_2_arg; 640 key_netstarg key_net_put_2_arg; 641 netobj key_get_conv_2_arg; 642 } argument; 643 char *result; 644 xdrproc_t xdr_argument, xdr_result; 645 char *(*local) (); 646 uid_t uid = -1; 647 int check_auth; 648 649 switch (rqstp->rq_proc) { 650 case NULLPROC: 651 svc_sendreply(transp, (xdrproc_t)xdr_void, NULL); 652 return; 653 654 case KEY_SET: 655 xdr_argument = (xdrproc_t)xdr_keybuf; 656 xdr_result = (xdrproc_t)xdr_int; 657 local = (char *(*)()) key_set_1_svc_prog; 658 check_auth = 1; 659 break; 660 661 case KEY_ENCRYPT: 662 xdr_argument = (xdrproc_t)xdr_cryptkeyarg; 663 xdr_result = (xdrproc_t)xdr_cryptkeyres; 664 local = (char *(*)()) key_encrypt_1_svc_prog; 665 check_auth = 1; 666 break; 667 668 case KEY_DECRYPT: 669 xdr_argument = (xdrproc_t)xdr_cryptkeyarg; 670 xdr_result = (xdrproc_t)xdr_cryptkeyres; 671 local = (char *(*)()) key_decrypt_1_svc_prog; 672 check_auth = 1; 673 break; 674 675 case KEY_GEN: 676 xdr_argument = (xdrproc_t)xdr_void; 677 xdr_result = (xdrproc_t)xdr_des_block; 678 local = (char *(*)()) key_gen_1_svc_prog; 679 check_auth = 0; 680 break; 681 682 case KEY_GETCRED: 683 xdr_argument = (xdrproc_t)xdr_netnamestr; 684 xdr_result = (xdrproc_t)xdr_getcredres; 685 local = (char *(*)()) key_getcred_1_svc_prog; 686 check_auth = 0; 687 break; 688 689 case KEY_ENCRYPT_PK: 690 xdr_argument = (xdrproc_t)xdr_cryptkeyarg2; 691 xdr_result = (xdrproc_t)xdr_cryptkeyres; 692 local = (char *(*)()) key_encrypt_pk_2_svc_prog; 693 check_auth = 1; 694 break; 695 696 case KEY_DECRYPT_PK: 697 xdr_argument = (xdrproc_t)xdr_cryptkeyarg2; 698 xdr_result = (xdrproc_t)xdr_cryptkeyres; 699 local = (char *(*)()) key_decrypt_pk_2_svc_prog; 700 check_auth = 1; 701 break; 702 703 704 case KEY_NET_PUT: 705 xdr_argument = (xdrproc_t)xdr_key_netstarg; 706 xdr_result = (xdrproc_t)xdr_keystatus; 707 local = (char *(*)()) key_net_put_2_svc_prog; 708 check_auth = 1; 709 break; 710 711 case KEY_NET_GET: 712 xdr_argument = (xdrproc_t) xdr_void; 713 xdr_result = (xdrproc_t)xdr_key_netstres; 714 local = (char *(*)()) key_net_get_2_svc_prog; 715 check_auth = 1; 716 break; 717 718 case KEY_GET_CONV: 719 xdr_argument = (xdrproc_t) xdr_keybuf; 720 xdr_result = (xdrproc_t)xdr_cryptkeyres; 721 local = (char *(*)()) key_get_conv_2_svc_prog; 722 check_auth = 1; 723 break; 724 725 default: 726 svcerr_noproc(transp); 727 return; 728 } 729 if (check_auth) { 730 if (root_auth(transp, rqstp) == 0) { 731 if (debugging) { 732 (void) fprintf(stderr, 733 "not local privileged process\n"); 734 } 735 svcerr_weakauth(transp); 736 return; 737 } 738 if (rqstp->rq_cred.oa_flavor != AUTH_SYS) { 739 if (debugging) { 740 (void) fprintf(stderr, 741 "not unix authentication\n"); 742 } 743 svcerr_weakauth(transp); 744 return; 745 } 746 uid = ((struct authsys_parms *)rqstp->rq_clntcred)->aup_uid; 747 } 748 749 memset(&argument, 0, sizeof (argument)); 750 if (!svc_getargs(transp, xdr_argument, &argument)) { 751 svcerr_decode(transp); 752 return; 753 } 754 result = (*local) (uid, &argument); 755 if (!svc_sendreply(transp, xdr_result, result)) { 756 if (debugging) 757 (void) fprintf(stderr, "unable to reply\n"); 758 svcerr_systemerr(transp); 759 } 760 if (!svc_freeargs(transp, xdr_argument, &argument)) { 761 if (debugging) 762 (void) fprintf(stderr, 763 "unable to free arguments\n"); 764 exit(1); 765 } 766 return; 767} 768 769static int 770root_auth(trans, rqstp) 771 SVCXPRT *trans; 772 struct svc_req *rqstp; 773{ 774 uid_t uid; 775 struct sockaddr *remote; 776 777 remote = svc_getrpccaller(trans)->buf; 778 if (remote->sa_family != AF_UNIX) { 779 if (debugging) 780 fprintf(stderr, "client didn't use AF_UNIX\n"); 781 return (0); 782 } 783 784 if (__rpc_get_local_uid(trans, &uid) < 0) { 785 if (debugging) 786 fprintf(stderr, "__rpc_get_local_uid failed\n"); 787 return (0); 788 } 789 790 if (debugging) 791 fprintf(stderr, "local_uid %ld\n", uid); 792 if (uid == 0) 793 return (1); 794 if (rqstp->rq_cred.oa_flavor == AUTH_SYS) { 795 if (((uid_t) ((struct authunix_parms *) 796 rqstp->rq_clntcred)->aup_uid) 797 == uid) { 798 return (1); 799 } else { 800 if (debugging) 801 fprintf(stderr, 802 "local_uid %ld mismatches auth %ld\n", uid, 803((uid_t) ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid)); 804 return (0); 805 } 806 } else { 807 if (debugging) 808 fprintf(stderr, "Not auth sys\n"); 809 return (0); 810 } 811} 812 813static void 814usage() 815{ 816 (void) fprintf(stderr, 817 "usage: keyserv [-n] [-D] [-d] [-v] [-p path]\n"); 818 (void) fprintf(stderr, "-d disables the use of default keys\n"); 819 exit(1); 820} 821