12849Sphk/* 22849Sphk * Sun RPC is a product of Sun Microsystems, Inc. and is provided for 32849Sphk * unrestricted use provided that this legend is included on all tape 493151Sphk * media and as a part of the software program in whole or part. Users 52849Sphk * may copy or modify Sun RPC without charge, but are not authorized 62849Sphk * to license or distribute it to anyone else except as part of a product or 72849Sphk * program developed by the user. 82849Sphk * 950479Speter * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE 102849Sphk * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR 112849Sphk * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. 122849Sphk * 13206622Suqs * Sun RPC is provided with no support and without any obligation on the 1479537Sru * part of Sun Microsystems, Inc. to assist in its use, correction, 152849Sphk * modification or enhancement. 162849Sphk * 172849Sphk * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE 182849Sphk * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC 1968965Sru * OR ANY PART THEREOF. 2029559Scharnier * 2129559Scharnier * In no event will Sun Microsystems, Inc. be liable for any lost revenue 2229559Scharnier * or profits or other special, indirect and consequential damages, even if 2329559Scharnier * Sun has been advised of the possibility of such damages. 242849Sphk * 2595127Scharnier * Sun Microsystems, Inc. 2695127Scharnier * 2550 Garcia Avenue 2795127Scharnier * Mountain View, California 94043 282849Sphk */ 2968575Sru 3095127Scharnier/* 3195127Scharnier * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc. 3295127Scharnier */ 3381251Sru 3481251Sru/* 352849Sphk * Keyserver 3625932Seivind * Store secret keys per uid. Do public key encryption and decryption 372849Sphk * operations. Generate "random" keys. 382849Sphk * Do not talk to anything but a local root 392849Sphk * process on the local transport only 4037207Ssteve */ 412849Sphk 422849Sphk#include <err.h> 4368575Sru#include <pwd.h> 442849Sphk#include <stdio.h> 452849Sphk#include <stdlib.h> 462849Sphk#include <string.h> 4729559Scharnier#include <unistd.h> 482849Sphk#include <sys/stat.h> 4979755Sdd#include <sys/types.h> 502849Sphk#include <rpc/rpc.h> 512849Sphk#include <sys/param.h> 522849Sphk#include <sys/file.h> 532849Sphk#include <rpc/des_crypt.h> 542849Sphk#include <rpc/des.h> 552849Sphk#include <rpc/key_prot.h> 5629559Scharnier#include <rpcsvc/crypt.h> 57141846Sru#include "keyserv.h" 5857673Ssheldonh 5929559Scharnier#ifndef NGROUPS 602849Sphk#define NGROUPS 16 61131500Sru#endif 62131500Sru 632849Sphk#ifndef KEYSERVSOCK 64131500Sru#define KEYSERVSOCK "/var/run/keyservsock" 65131500Sru#endif 6659651Sobrien 672849Sphkstatic void randomize( des_block * ); 6868575Srustatic void usage( void ); 6995127Scharnierstatic int getrootkey( des_block *, int ); 7095127Scharnierstatic int root_auth( SVCXPRT *, struct svc_req * ); 7195127Scharnier 722849Sphk#ifdef DEBUG 732849Sphkstatic int debugging = 1; 742849Sphk#else 752849Sphkstatic int debugging = 0; 7668575Sru#endif 772849Sphk 782849Sphkstatic void keyprogram(struct svc_req *rqstp, SVCXPRT *transp); 792849Sphkstatic des_block masterkey; 802849Sphkstatic char ROOTKEY[] = "/etc/.rootkey"; 812849Sphk 822849Sphk/* 8368854Sru * Hack to allow the keyserver to use AUTH_DES (for authenticated 8495127Scharnier * NIS+ calls, for example). The only functions that get called 8595127Scharnier * are key_encryptsession_pk, key_decryptsession_pk, and key_gendes. 8695127Scharnier * 872849Sphk * The approach is to have the keyserver fill in pointers to local 882849Sphk * implementations of these functions, and to call those in key_call(). 8968575Sru */ 90233510Sjoel 9168575Sruextern cryptkeyres *(*__key_encryptsession_pk_LOCAL)(); 922849Sphkextern cryptkeyres *(*__key_decryptsession_pk_LOCAL)(); 9371102Sruextern des_block *(*__key_gendes_LOCAL)(); 942849Sphkextern int (*__des_crypt_LOCAL)(); 952849Sphk 962849Sphkcryptkeyres *key_encrypt_pk_2_svc_prog( uid_t, cryptkeyarg2 * ); 972849Sphkcryptkeyres *key_decrypt_pk_2_svc_prog( uid_t, cryptkeyarg2 * ); 9834809Scharnierdes_block *key_gen_1_svc_prog( void *, struct svc_req * ); 992849Sphk 10095127Scharnierint 10195127Scharniermain(int argc, char *argv[]) 10295127Scharnier{ 1032849Sphk int nflag = 0; 1042849Sphk int c; 10534809Scharnier int warn = 0; 1062849Sphk char *path = NULL; 10793151Sphk void *localhandle; 1082849Sphk register SVCXPRT *transp; 1092849Sphk struct netconfig *nconf = NULL; 11068575Sru 1112849Sphk __key_encryptsession_pk_LOCAL = &key_encrypt_pk_2_svc_prog; 1122849Sphk __key_decryptsession_pk_LOCAL = &key_decrypt_pk_2_svc_prog; 1132849Sphk __key_gendes_LOCAL = &key_gen_1_svc_prog; 1142849Sphk 11568575Sru while ((c = getopt(argc, argv, "ndDvp:")) != -1) 1162849Sphk switch (c) { 11737079Smph case 'n': 11868575Sru nflag++; 1192849Sphk break; 1202849Sphk case 'd': 12168575Sru pk_nodefaultkeys(); 1222849Sphk break; 1232849Sphk case 'D': 1242849Sphk debugging = 1; 1252849Sphk break; 1262849Sphk case 'v': 1272849Sphk warn = 1; 1282849Sphk break; 12937079Smph case 'p': 130 path = optarg; 131 break; 132 default: 133 usage(); 134 } 135 136 load_des(warn, path); 137 __des_crypt_LOCAL = _my_crypt; 138 if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1) 139 errx(1, "failed to register AUTH_DES authenticator"); 140 141 if (optind != argc) { 142 usage(); 143 } 144 145 /* 146 * Initialize 147 */ 148 (void) umask(S_IXUSR|S_IXGRP|S_IXOTH); 149 if (geteuid() != 0) 150 errx(1, "keyserv must be run as root"); 151 setmodulus(HEXMODULUS); 152 getrootkey(&masterkey, nflag); 153 154 rpcb_unset(KEY_PROG, KEY_VERS, NULL); 155 rpcb_unset(KEY_PROG, KEY_VERS2, NULL); 156 157 if (svc_create(keyprogram, KEY_PROG, KEY_VERS, 158 "netpath") == 0) { 159 (void) fprintf(stderr, 160 "%s: unable to create service\n", argv[0]); 161 exit(1); 162 } 163 164 if (svc_create(keyprogram, KEY_PROG, KEY_VERS2, 165 "netpath") == 0) { 166 (void) fprintf(stderr, 167 "%s: unable to create service\n", argv[0]); 168 exit(1); 169 } 170 171 localhandle = setnetconfig(); 172 while ((nconf = getnetconfig(localhandle)) != NULL) { 173 if (nconf->nc_protofmly != NULL && 174 strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0) 175 break; 176 } 177 178 if (nconf == NULL) 179 errx(1, "getnetconfig: %s", nc_sperror()); 180 181 unlink(KEYSERVSOCK); 182 rpcb_unset(CRYPT_PROG, CRYPT_VERS, nconf); 183 transp = svcunix_create(RPC_ANYSOCK, 0, 0, KEYSERVSOCK); 184 if (transp == NULL) 185 errx(1, "cannot create AF_LOCAL service"); 186 if (!svc_reg(transp, KEY_PROG, KEY_VERS, keyprogram, nconf)) 187 errx(1, "unable to register (KEY_PROG, KEY_VERS, unix)"); 188 if (!svc_reg(transp, KEY_PROG, KEY_VERS2, keyprogram, nconf)) 189 errx(1, "unable to register (KEY_PROG, KEY_VERS2, unix)"); 190 if (!svc_reg(transp, CRYPT_PROG, CRYPT_VERS, crypt_prog_1, nconf)) 191 errx(1, "unable to register (CRYPT_PROG, CRYPT_VERS, unix)"); 192 193 endnetconfig(localhandle); 194 195 (void) umask(066); /* paranoia */ 196 197 if (!debugging) { 198 daemon(0,0); 199 } 200 201 signal(SIGPIPE, SIG_IGN); 202 203 svc_run(); 204 abort(); 205 /* NOTREACHED */ 206} 207 208/* 209 * In the event that we don't get a root password, we try to 210 * randomize the master key the best we can 211 */ 212static void 213randomize(des_block *master) 214{ 215 master->key.low = arc4random(); 216 master->key.high = arc4random(); 217} 218 219/* 220 * Try to get root's secret key, by prompting if terminal is a tty, else trying 221 * from standard input. 222 * Returns 1 on success. 223 */ 224static int 225getrootkey(des_block *master, int prompt) 226{ 227 char *passwd; 228 char name[MAXNETNAMELEN + 1]; 229 char secret[HEXKEYBYTES]; 230 key_netstarg netstore; 231 int fd; 232 233 if (!prompt) { 234 /* 235 * Read secret key out of ROOTKEY 236 */ 237 fd = open(ROOTKEY, O_RDONLY, 0); 238 if (fd < 0) { 239 randomize(master); 240 return (0); 241 } 242 if (read(fd, secret, HEXKEYBYTES) < HEXKEYBYTES) { 243 warnx("the key read from %s was too short", ROOTKEY); 244 (void) close(fd); 245 return (0); 246 } 247 (void) close(fd); 248 if (!getnetname(name)) { 249 warnx( 250 "failed to generate host's netname when establishing root's key"); 251 return (0); 252 } 253 memcpy(netstore.st_priv_key, secret, HEXKEYBYTES); 254 memset(netstore.st_pub_key, 0, HEXKEYBYTES); 255 netstore.st_netname = name; 256 if (pk_netput(0, &netstore) != KEY_SUCCESS) { 257 warnx("could not set root's key and netname"); 258 return (0); 259 } 260 return (1); 261 } 262 /* 263 * Decrypt yellow pages publickey entry to get secret key 264 */ 265 passwd = getpass("root password:"); 266 passwd2des(passwd, (char *)master); 267 getnetname(name); 268 if (!getsecretkey(name, secret, passwd)) { 269 warnx("can't find %s's secret key", name); 270 return (0); 271 } 272 if (secret[0] == 0) { 273 warnx("password does not decrypt secret key for %s", name); 274 return (0); 275 } 276 (void) pk_setkey(0, secret); 277 /* 278 * Store it for future use in $ROOTKEY, if possible 279 */ 280 fd = open(ROOTKEY, O_WRONLY|O_TRUNC|O_CREAT, 0); 281 if (fd > 0) { 282 char newline = '\n'; 283 284 write(fd, secret, strlen(secret)); 285 write(fd, &newline, sizeof (newline)); 286 close(fd); 287 } 288 return (1); 289} 290 291/* 292 * Procedures to implement RPC service 293 */ 294char * 295strstatus(keystatus status) 296{ 297 switch (status) { 298 case KEY_SUCCESS: 299 return ("KEY_SUCCESS"); 300 case KEY_NOSECRET: 301 return ("KEY_NOSECRET"); 302 case KEY_UNKNOWN: 303 return ("KEY_UNKNOWN"); 304 case KEY_SYSTEMERR: 305 return ("KEY_SYSTEMERR"); 306 default: 307 return ("(bad result code)"); 308 } 309} 310 311keystatus * 312key_set_1_svc_prog(uid_t uid, keybuf key) 313{ 314 static keystatus status; 315 316 if (debugging) { 317 (void) fprintf(stderr, "set(%u, %.*s) = ", uid, 318 (int) sizeof (keybuf), key); 319 } 320 status = pk_setkey(uid, key); 321 if (debugging) { 322 (void) fprintf(stderr, "%s\n", strstatus(status)); 323 (void) fflush(stderr); 324 } 325 return (&status); 326} 327 328cryptkeyres * 329key_encrypt_pk_2_svc_prog(uid_t uid, cryptkeyarg2 *arg) 330{ 331 static cryptkeyres res; 332 333 if (debugging) { 334 (void) fprintf(stderr, "encrypt(%u, %s, %08x%08x) = ", uid, 335 arg->remotename, arg->deskey.key.high, 336 arg->deskey.key.low); 337 } 338 res.cryptkeyres_u.deskey = arg->deskey; 339 res.status = pk_encrypt(uid, arg->remotename, &(arg->remotekey), 340 &res.cryptkeyres_u.deskey); 341 if (debugging) { 342 if (res.status == KEY_SUCCESS) { 343 (void) fprintf(stderr, "%08x%08x\n", 344 res.cryptkeyres_u.deskey.key.high, 345 res.cryptkeyres_u.deskey.key.low); 346 } else { 347 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 348 } 349 (void) fflush(stderr); 350 } 351 return (&res); 352} 353 354cryptkeyres * 355key_decrypt_pk_2_svc_prog(uid_t uid, cryptkeyarg2 *arg) 356{ 357 static cryptkeyres res; 358 359 if (debugging) { 360 (void) fprintf(stderr, "decrypt(%u, %s, %08x%08x) = ", uid, 361 arg->remotename, arg->deskey.key.high, 362 arg->deskey.key.low); 363 } 364 res.cryptkeyres_u.deskey = arg->deskey; 365 res.status = pk_decrypt(uid, arg->remotename, &(arg->remotekey), 366 &res.cryptkeyres_u.deskey); 367 if (debugging) { 368 if (res.status == KEY_SUCCESS) { 369 (void) fprintf(stderr, "%08x%08x\n", 370 res.cryptkeyres_u.deskey.key.high, 371 res.cryptkeyres_u.deskey.key.low); 372 } else { 373 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 374 } 375 (void) fflush(stderr); 376 } 377 return (&res); 378} 379 380keystatus * 381key_net_put_2_svc_prog(uid_t uid, key_netstarg *arg) 382{ 383 static keystatus status; 384 385 if (debugging) { 386 (void) fprintf(stderr, "net_put(%s, %.*s, %.*s) = ", 387 arg->st_netname, (int)sizeof (arg->st_pub_key), 388 arg->st_pub_key, (int)sizeof (arg->st_priv_key), 389 arg->st_priv_key); 390 } 391 392 status = pk_netput(uid, arg); 393 394 if (debugging) { 395 (void) fprintf(stderr, "%s\n", strstatus(status)); 396 (void) fflush(stderr); 397 } 398 399 return (&status); 400} 401 402key_netstres * 403key_net_get_2_svc_prog(uid_t uid, void *arg) 404{ 405 static key_netstres keynetname; 406 407 if (debugging) 408 (void) fprintf(stderr, "net_get(%u) = ", uid); 409 410 keynetname.status = pk_netget(uid, &keynetname.key_netstres_u.knet); 411 if (debugging) { 412 if (keynetname.status == KEY_SUCCESS) { 413 fprintf(stderr, "<%s, %.*s, %.*s>\n", 414 keynetname.key_netstres_u.knet.st_netname, 415 (int)sizeof (keynetname.key_netstres_u.knet.st_pub_key), 416 keynetname.key_netstres_u.knet.st_pub_key, 417 (int)sizeof (keynetname.key_netstres_u.knet.st_priv_key), 418 keynetname.key_netstres_u.knet.st_priv_key); 419 } else { 420 (void) fprintf(stderr, "NOT FOUND\n"); 421 } 422 (void) fflush(stderr); 423 } 424 425 return (&keynetname); 426 427} 428 429cryptkeyres * 430key_get_conv_2_svc_prog(uid_t uid, keybuf arg) 431{ 432 static cryptkeyres res; 433 434 if (debugging) 435 (void) fprintf(stderr, "get_conv(%u, %.*s) = ", uid, 436 (int)sizeof (keybuf), arg); 437 438 439 res.status = pk_get_conv_key(uid, arg, &res); 440 441 if (debugging) { 442 if (res.status == KEY_SUCCESS) { 443 (void) fprintf(stderr, "%08x%08x\n", 444 res.cryptkeyres_u.deskey.key.high, 445 res.cryptkeyres_u.deskey.key.low); 446 } else { 447 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 448 } 449 (void) fflush(stderr); 450 } 451 return (&res); 452} 453 454 455cryptkeyres * 456key_encrypt_1_svc_prog(uid_t uid, cryptkeyarg *arg) 457{ 458 static cryptkeyres res; 459 460 if (debugging) { 461 (void) fprintf(stderr, "encrypt(%u, %s, %08x%08x) = ", uid, 462 arg->remotename, arg->deskey.key.high, 463 arg->deskey.key.low); 464 } 465 res.cryptkeyres_u.deskey = arg->deskey; 466 res.status = pk_encrypt(uid, arg->remotename, NULL, 467 &res.cryptkeyres_u.deskey); 468 if (debugging) { 469 if (res.status == KEY_SUCCESS) { 470 (void) fprintf(stderr, "%08x%08x\n", 471 res.cryptkeyres_u.deskey.key.high, 472 res.cryptkeyres_u.deskey.key.low); 473 } else { 474 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 475 } 476 (void) fflush(stderr); 477 } 478 return (&res); 479} 480 481cryptkeyres * 482key_decrypt_1_svc_prog(uid_t uid, cryptkeyarg *arg) 483{ 484 static cryptkeyres res; 485 486 if (debugging) { 487 (void) fprintf(stderr, "decrypt(%u, %s, %08x%08x) = ", uid, 488 arg->remotename, arg->deskey.key.high, 489 arg->deskey.key.low); 490 } 491 res.cryptkeyres_u.deskey = arg->deskey; 492 res.status = pk_decrypt(uid, arg->remotename, NULL, 493 &res.cryptkeyres_u.deskey); 494 if (debugging) { 495 if (res.status == KEY_SUCCESS) { 496 (void) fprintf(stderr, "%08x%08x\n", 497 res.cryptkeyres_u.deskey.key.high, 498 res.cryptkeyres_u.deskey.key.low); 499 } else { 500 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 501 } 502 (void) fflush(stderr); 503 } 504 return (&res); 505} 506 507/* ARGSUSED */ 508des_block * 509key_gen_1_svc_prog(void *v, struct svc_req *s) 510{ 511 struct timeval time; 512 static des_block keygen; 513 static des_block key; 514 515 (void)gettimeofday(&time, NULL); 516 keygen.key.high += (time.tv_sec ^ time.tv_usec); 517 keygen.key.low += (time.tv_sec ^ time.tv_usec); 518 ecb_crypt((char *)&masterkey, (char *)&keygen, sizeof (keygen), 519 DES_ENCRYPT | DES_HW); 520 key = keygen; 521 des_setparity((char *)&key); 522 if (debugging) { 523 (void) fprintf(stderr, "gen() = %08x%08x\n", key.key.high, 524 key.key.low); 525 (void) fflush(stderr); 526 } 527 return (&key); 528} 529 530getcredres * 531key_getcred_1_svc_prog(uid_t uid, netnamestr *name) 532{ 533 static getcredres res; 534 static u_int gids[NGROUPS]; 535 struct unixcred *cred; 536 537 cred = &res.getcredres_u.cred; 538 cred->gids.gids_val = gids; 539 if (!netname2user(*name, (uid_t *) &cred->uid, (gid_t *) &cred->gid, 540 (int *)&cred->gids.gids_len, (gid_t *)gids)) { 541 res.status = KEY_UNKNOWN; 542 } else { 543 res.status = KEY_SUCCESS; 544 } 545 if (debugging) { 546 (void) fprintf(stderr, "getcred(%s) = ", *name); 547 if (res.status == KEY_SUCCESS) { 548 (void) fprintf(stderr, "uid=%d, gid=%d, grouplen=%d\n", 549 cred->uid, cred->gid, cred->gids.gids_len); 550 } else { 551 (void) fprintf(stderr, "%s\n", strstatus(res.status)); 552 } 553 (void) fflush(stderr); 554 } 555 return (&res); 556} 557 558/* 559 * RPC boilerplate 560 */ 561static void 562keyprogram(struct svc_req *rqstp, SVCXPRT *transp) 563{ 564 union { 565 keybuf key_set_1_arg; 566 cryptkeyarg key_encrypt_1_arg; 567 cryptkeyarg key_decrypt_1_arg; 568 netnamestr key_getcred_1_arg; 569 cryptkeyarg key_encrypt_2_arg; 570 cryptkeyarg key_decrypt_2_arg; 571 netnamestr key_getcred_2_arg; 572 cryptkeyarg2 key_encrypt_pk_2_arg; 573 cryptkeyarg2 key_decrypt_pk_2_arg; 574 key_netstarg key_net_put_2_arg; 575 netobj key_get_conv_2_arg; 576 } argument; 577 char *result; 578 xdrproc_t xdr_argument, xdr_result; 579 typedef void *(svc_cb)(uid_t uid, void *arg); 580 svc_cb *local; 581 uid_t uid = -1; 582 int check_auth; 583 584 switch (rqstp->rq_proc) { 585 case NULLPROC: 586 svc_sendreply(transp, (xdrproc_t)xdr_void, NULL); 587 return; 588 589 case KEY_SET: 590 xdr_argument = (xdrproc_t)xdr_keybuf; 591 xdr_result = (xdrproc_t)xdr_int; 592 local = (svc_cb *)key_set_1_svc_prog; 593 check_auth = 1; 594 break; 595 596 case KEY_ENCRYPT: 597 xdr_argument = (xdrproc_t)xdr_cryptkeyarg; 598 xdr_result = (xdrproc_t)xdr_cryptkeyres; 599 local = (svc_cb *)key_encrypt_1_svc_prog; 600 check_auth = 1; 601 break; 602 603 case KEY_DECRYPT: 604 xdr_argument = (xdrproc_t)xdr_cryptkeyarg; 605 xdr_result = (xdrproc_t)xdr_cryptkeyres; 606 local = (svc_cb *)key_decrypt_1_svc_prog; 607 check_auth = 1; 608 break; 609 610 case KEY_GEN: 611 xdr_argument = (xdrproc_t)xdr_void; 612 xdr_result = (xdrproc_t)xdr_des_block; 613 local = (svc_cb *)key_gen_1_svc_prog; 614 check_auth = 0; 615 break; 616 617 case KEY_GETCRED: 618 xdr_argument = (xdrproc_t)xdr_netnamestr; 619 xdr_result = (xdrproc_t)xdr_getcredres; 620 local = (svc_cb *)key_getcred_1_svc_prog; 621 check_auth = 0; 622 break; 623 624 case KEY_ENCRYPT_PK: 625 xdr_argument = (xdrproc_t)xdr_cryptkeyarg2; 626 xdr_result = (xdrproc_t)xdr_cryptkeyres; 627 local = (svc_cb *)key_encrypt_pk_2_svc_prog; 628 check_auth = 1; 629 break; 630 631 case KEY_DECRYPT_PK: 632 xdr_argument = (xdrproc_t)xdr_cryptkeyarg2; 633 xdr_result = (xdrproc_t)xdr_cryptkeyres; 634 local = (svc_cb *)key_decrypt_pk_2_svc_prog; 635 check_auth = 1; 636 break; 637 638 639 case KEY_NET_PUT: 640 xdr_argument = (xdrproc_t)xdr_key_netstarg; 641 xdr_result = (xdrproc_t)xdr_keystatus; 642 local = (svc_cb *)key_net_put_2_svc_prog; 643 check_auth = 1; 644 break; 645 646 case KEY_NET_GET: 647 xdr_argument = (xdrproc_t) xdr_void; 648 xdr_result = (xdrproc_t)xdr_key_netstres; 649 local = (svc_cb *)key_net_get_2_svc_prog; 650 check_auth = 1; 651 break; 652 653 case KEY_GET_CONV: 654 xdr_argument = (xdrproc_t) xdr_keybuf; 655 xdr_result = (xdrproc_t)xdr_cryptkeyres; 656 local = (svc_cb *)key_get_conv_2_svc_prog; 657 check_auth = 1; 658 break; 659 660 default: 661 svcerr_noproc(transp); 662 return; 663 } 664 if (check_auth) { 665 if (root_auth(transp, rqstp) == 0) { 666 if (debugging) { 667 (void) fprintf(stderr, 668 "not local privileged process\n"); 669 } 670 svcerr_weakauth(transp); 671 return; 672 } 673 if (rqstp->rq_cred.oa_flavor != AUTH_SYS) { 674 if (debugging) { 675 (void) fprintf(stderr, 676 "not unix authentication\n"); 677 } 678 svcerr_weakauth(transp); 679 return; 680 } 681 uid = ((struct authsys_parms *)rqstp->rq_clntcred)->aup_uid; 682 } 683 684 memset(&argument, 0, sizeof (argument)); 685 if (!svc_getargs(transp, xdr_argument, &argument)) { 686 svcerr_decode(transp); 687 return; 688 } 689 result = (*local) (uid, &argument); 690 if (!svc_sendreply(transp, xdr_result, result)) { 691 if (debugging) 692 (void) fprintf(stderr, "unable to reply\n"); 693 svcerr_systemerr(transp); 694 } 695 if (!svc_freeargs(transp, xdr_argument, &argument)) { 696 if (debugging) 697 (void) fprintf(stderr, 698 "unable to free arguments\n"); 699 exit(1); 700 } 701} 702 703static int 704root_auth(SVCXPRT *trans, struct svc_req *rqstp) 705{ 706 uid_t uid; 707 struct sockaddr *remote; 708 709 remote = svc_getrpccaller(trans)->buf; 710 if (remote->sa_family != AF_UNIX) { 711 if (debugging) 712 fprintf(stderr, "client didn't use AF_UNIX\n"); 713 return (0); 714 } 715 716 if (__rpc_get_local_uid(trans, &uid) < 0) { 717 if (debugging) 718 fprintf(stderr, "__rpc_get_local_uid failed\n"); 719 return (0); 720 } 721 722 if (debugging) 723 fprintf(stderr, "local_uid %u\n", uid); 724 if (uid == 0) 725 return (1); 726 if (rqstp->rq_cred.oa_flavor == AUTH_SYS) { 727 if (((uid_t) ((struct authunix_parms *) 728 rqstp->rq_clntcred)->aup_uid) 729 == uid) { 730 return (1); 731 } else { 732 if (debugging) 733 fprintf(stderr, 734 "local_uid %u mismatches auth %u\n", uid, 735((uid_t) ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid)); 736 return (0); 737 } 738 } else { 739 if (debugging) 740 fprintf(stderr, "Not auth sys\n"); 741 return (0); 742 } 743} 744 745static void 746usage(void) 747{ 748 (void) fprintf(stderr, 749 "usage: keyserv [-n] [-D] [-d] [-v] [-p path]\n"); 750 (void) fprintf(stderr, "-d disables the use of default keys\n"); 751 exit(1); 752} 753