1/*
2 * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
3 * unrestricted use provided that this legend is included on all tape
4 * media and as a part of the software program in whole or part.  Users
5 * may copy or modify Sun RPC without charge, but are not authorized
6 * to license or distribute it to anyone else except as part of a product or
7 * program developed by the user.
8 *
9 * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE
10 * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR
11 * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.
12 *
13 * Sun RPC is provided with no support and without any obligation on the
14 * part of Sun Microsystems, Inc. to assist in its use, correction,
15 * modification or enhancement.
16 *
17 * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE
18 * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC
19 * OR ANY PART THEREOF.
20 *
21 * In no event will Sun Microsystems, Inc. be liable for any lost revenue
22 * or profits or other special, indirect and consequential damages, even if
23 * Sun has been advised of the possibility of such damages.
24 *
25 * Sun Microsystems, Inc.
26 * 2550 Garcia Avenue
27 * Mountain View, California  94043
28 */
29
30#ifndef lint
31#if 0
32static char sccsid[] = "@(#)keyserv.c	1.15	94/04/25 SMI";
33#endif
34static const char rcsid[] =
35  "$FreeBSD$";
36#endif /* not lint */
37
38/*
39 * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc.
40 */
41
42/*
43 * Keyserver
44 * Store secret keys per uid. Do public key encryption and decryption
45 * operations. Generate "random" keys.
46 * Do not talk to anything but a local root
47 * process on the local transport only
48 */
49
50#include <err.h>
51#include <pwd.h>
52#include <stdio.h>
53#include <stdlib.h>
54#include <string.h>
55#include <unistd.h>
56#include <sys/stat.h>
57#include <sys/types.h>
58#include <rpc/rpc.h>
59#include <sys/param.h>
60#include <sys/file.h>
61#include <rpc/des_crypt.h>
62#include <rpc/des.h>
63#include <rpc/key_prot.h>
64#include <rpcsvc/crypt.h>
65#include "keyserv.h"
66
67#ifndef NGROUPS
68#define	NGROUPS 16
69#endif
70
71#ifndef KEYSERVSOCK
72#define KEYSERVSOCK "/var/run/keyservsock"
73#endif
74
75static void randomize( des_block * );
76static void usage( void );
77static int getrootkey( des_block *, int );
78static int root_auth( SVCXPRT *, struct svc_req * );
79
80#ifdef DEBUG
81static int debugging = 1;
82#else
83static int debugging = 0;
84#endif
85
86static void keyprogram();
87static des_block masterkey;
88char *getenv();
89static char ROOTKEY[] = "/etc/.rootkey";
90
91/*
92 * Hack to allow the keyserver to use AUTH_DES (for authenticated
93 * NIS+ calls, for example).  The only functions that get called
94 * are key_encryptsession_pk, key_decryptsession_pk, and key_gendes.
95 *
96 * The approach is to have the keyserver fill in pointers to local
97 * implementations of these functions, and to call those in key_call().
98 */
99
100extern cryptkeyres *(*__key_encryptsession_pk_LOCAL)();
101extern cryptkeyres *(*__key_decryptsession_pk_LOCAL)();
102extern des_block *(*__key_gendes_LOCAL)();
103extern int (*__des_crypt_LOCAL)();
104
105cryptkeyres *key_encrypt_pk_2_svc_prog( uid_t, cryptkeyarg2 * );
106cryptkeyres *key_decrypt_pk_2_svc_prog( uid_t, cryptkeyarg2 * );
107des_block *key_gen_1_svc_prog( void *, struct svc_req * );
108
109int
110main(argc, argv)
111	int argc;
112	char *argv[];
113{
114	int nflag = 0;
115	int c;
116	int warn = 0;
117	char *path = NULL;
118	void *localhandle;
119	register SVCXPRT *transp;
120	struct netconfig *nconf = NULL;
121
122	__key_encryptsession_pk_LOCAL = &key_encrypt_pk_2_svc_prog;
123	__key_decryptsession_pk_LOCAL = &key_decrypt_pk_2_svc_prog;
124	__key_gendes_LOCAL = &key_gen_1_svc_prog;
125
126	while ((c = getopt(argc, argv, "ndDvp:")) != -1)
127		switch (c) {
128		case 'n':
129			nflag++;
130			break;
131		case 'd':
132			pk_nodefaultkeys();
133			break;
134		case 'D':
135			debugging = 1;
136			break;
137		case 'v':
138			warn = 1;
139			break;
140		case 'p':
141			path = optarg;
142			break;
143		default:
144			usage();
145		}
146
147	load_des(warn, path);
148	__des_crypt_LOCAL = _my_crypt;
149	if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1)
150		errx(1, "failed to register AUTH_DES authenticator");
151
152	if (optind != argc) {
153		usage();
154	}
155
156	/*
157	 * Initialize
158	 */
159	(void) umask(S_IXUSR|S_IXGRP|S_IXOTH);
160	if (geteuid() != 0)
161		errx(1, "keyserv must be run as root");
162	setmodulus(HEXMODULUS);
163	getrootkey(&masterkey, nflag);
164
165	rpcb_unset(KEY_PROG, KEY_VERS, NULL);
166	rpcb_unset(KEY_PROG, KEY_VERS2, NULL);
167
168	if (svc_create(keyprogram, KEY_PROG, KEY_VERS,
169		"netpath") == 0) {
170		(void) fprintf(stderr,
171			"%s: unable to create service\n", argv[0]);
172		exit(1);
173	}
174
175	if (svc_create(keyprogram, KEY_PROG, KEY_VERS2,
176	"netpath") == 0) {
177		(void) fprintf(stderr,
178			"%s: unable to create service\n", argv[0]);
179		exit(1);
180	}
181
182	localhandle = setnetconfig();
183	while ((nconf = getnetconfig(localhandle)) != NULL) {
184		if (nconf->nc_protofmly != NULL &&
185		    strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0)
186			break;
187	}
188
189	if (nconf == NULL)
190		errx(1, "getnetconfig: %s", nc_sperror());
191
192	unlink(KEYSERVSOCK);
193	rpcb_unset(CRYPT_PROG, CRYPT_VERS, nconf);
194	transp = svcunix_create(RPC_ANYSOCK, 0, 0, KEYSERVSOCK);
195	if (transp == NULL)
196		errx(1, "cannot create AF_LOCAL service");
197	if (!svc_reg(transp, KEY_PROG, KEY_VERS, keyprogram, nconf))
198		errx(1, "unable to register (KEY_PROG, KEY_VERS, unix)");
199	if (!svc_reg(transp, KEY_PROG, KEY_VERS2, keyprogram, nconf))
200		errx(1, "unable to register (KEY_PROG, KEY_VERS2, unix)");
201	if (!svc_reg(transp, CRYPT_PROG, CRYPT_VERS, crypt_prog_1, nconf))
202		errx(1, "unable to register (CRYPT_PROG, CRYPT_VERS, unix)");
203
204	endnetconfig(localhandle);
205
206	(void) umask(066);	/* paranoia */
207
208	if (!debugging) {
209		daemon(0,0);
210	}
211
212	signal(SIGPIPE, SIG_IGN);
213
214	svc_run();
215	abort();
216	/* NOTREACHED */
217}
218
219/*
220 * In the event that we don't get a root password, we try to
221 * randomize the master key the best we can
222 */
223static void
224randomize(master)
225	des_block *master;
226{
227	master->key.low = arc4random();
228	master->key.high = arc4random();
229}
230
231/*
232 * Try to get root's secret key, by prompting if terminal is a tty, else trying
233 * from standard input.
234 * Returns 1 on success.
235 */
236static int
237getrootkey(master, prompt)
238	des_block *master;
239	int prompt;
240{
241	char *passwd;
242	char name[MAXNETNAMELEN + 1];
243	char secret[HEXKEYBYTES];
244	key_netstarg netstore;
245	int fd;
246
247	if (!prompt) {
248		/*
249		 * Read secret key out of ROOTKEY
250		 */
251		fd = open(ROOTKEY, O_RDONLY, 0);
252		if (fd < 0) {
253			randomize(master);
254			return (0);
255		}
256		if (read(fd, secret, HEXKEYBYTES) < HEXKEYBYTES) {
257			warnx("the key read from %s was too short", ROOTKEY);
258			(void) close(fd);
259			return (0);
260		}
261		(void) close(fd);
262		if (!getnetname(name)) {
263		    warnx(
264	"failed to generate host's netname when establishing root's key");
265		    return (0);
266		}
267		memcpy(netstore.st_priv_key, secret, HEXKEYBYTES);
268		memset(netstore.st_pub_key, 0, HEXKEYBYTES);
269		netstore.st_netname = name;
270		if (pk_netput(0, &netstore) != KEY_SUCCESS) {
271		    warnx("could not set root's key and netname");
272		    return (0);
273		}
274		return (1);
275	}
276	/*
277	 * Decrypt yellow pages publickey entry to get secret key
278	 */
279	passwd = getpass("root password:");
280	passwd2des(passwd, (char *)master);
281	getnetname(name);
282	if (!getsecretkey(name, secret, passwd)) {
283		warnx("can't find %s's secret key", name);
284		return (0);
285	}
286	if (secret[0] == 0) {
287		warnx("password does not decrypt secret key for %s", name);
288		return (0);
289	}
290	(void) pk_setkey(0, secret);
291	/*
292	 * Store it for future use in $ROOTKEY, if possible
293	 */
294	fd = open(ROOTKEY, O_WRONLY|O_TRUNC|O_CREAT, 0);
295	if (fd > 0) {
296		char newline = '\n';
297
298		write(fd, secret, strlen(secret));
299		write(fd, &newline, sizeof (newline));
300		close(fd);
301	}
302	return (1);
303}
304
305/*
306 * Procedures to implement RPC service
307 */
308char *
309strstatus(status)
310	keystatus status;
311{
312	switch (status) {
313	case KEY_SUCCESS:
314		return ("KEY_SUCCESS");
315	case KEY_NOSECRET:
316		return ("KEY_NOSECRET");
317	case KEY_UNKNOWN:
318		return ("KEY_UNKNOWN");
319	case KEY_SYSTEMERR:
320		return ("KEY_SYSTEMERR");
321	default:
322		return ("(bad result code)");
323	}
324}
325
326keystatus *
327key_set_1_svc_prog(uid, key)
328	uid_t uid;
329	keybuf key;
330{
331	static keystatus status;
332
333	if (debugging) {
334		(void) fprintf(stderr, "set(%u, %.*s) = ", uid,
335				(int) sizeof (keybuf), key);
336	}
337	status = pk_setkey(uid, key);
338	if (debugging) {
339		(void) fprintf(stderr, "%s\n", strstatus(status));
340		(void) fflush(stderr);
341	}
342	return (&status);
343}
344
345cryptkeyres *
346key_encrypt_pk_2_svc_prog(uid, arg)
347	uid_t uid;
348	cryptkeyarg2 *arg;
349{
350	static cryptkeyres res;
351
352	if (debugging) {
353		(void) fprintf(stderr, "encrypt(%u, %s, %08x%08x) = ", uid,
354				arg->remotename, arg->deskey.key.high,
355				arg->deskey.key.low);
356	}
357	res.cryptkeyres_u.deskey = arg->deskey;
358	res.status = pk_encrypt(uid, arg->remotename, &(arg->remotekey),
359				&res.cryptkeyres_u.deskey);
360	if (debugging) {
361		if (res.status == KEY_SUCCESS) {
362			(void) fprintf(stderr, "%08x%08x\n",
363					res.cryptkeyres_u.deskey.key.high,
364					res.cryptkeyres_u.deskey.key.low);
365		} else {
366			(void) fprintf(stderr, "%s\n", strstatus(res.status));
367		}
368		(void) fflush(stderr);
369	}
370	return (&res);
371}
372
373cryptkeyres *
374key_decrypt_pk_2_svc_prog(uid, arg)
375	uid_t uid;
376	cryptkeyarg2 *arg;
377{
378	static cryptkeyres res;
379
380	if (debugging) {
381		(void) fprintf(stderr, "decrypt(%u, %s, %08x%08x) = ", uid,
382				arg->remotename, arg->deskey.key.high,
383				arg->deskey.key.low);
384	}
385	res.cryptkeyres_u.deskey = arg->deskey;
386	res.status = pk_decrypt(uid, arg->remotename, &(arg->remotekey),
387				&res.cryptkeyres_u.deskey);
388	if (debugging) {
389		if (res.status == KEY_SUCCESS) {
390			(void) fprintf(stderr, "%08x%08x\n",
391					res.cryptkeyres_u.deskey.key.high,
392					res.cryptkeyres_u.deskey.key.low);
393		} else {
394			(void) fprintf(stderr, "%s\n", strstatus(res.status));
395		}
396		(void) fflush(stderr);
397	}
398	return (&res);
399}
400
401keystatus *
402key_net_put_2_svc_prog(uid, arg)
403	uid_t uid;
404	key_netstarg *arg;
405{
406	static keystatus status;
407
408	if (debugging) {
409		(void) fprintf(stderr, "net_put(%s, %.*s, %.*s) = ",
410			arg->st_netname, (int)sizeof (arg->st_pub_key),
411			arg->st_pub_key, (int)sizeof (arg->st_priv_key),
412			arg->st_priv_key);
413	}
414
415	status = pk_netput(uid, arg);
416
417	if (debugging) {
418		(void) fprintf(stderr, "%s\n", strstatus(status));
419		(void) fflush(stderr);
420	}
421
422	return (&status);
423}
424
425key_netstres *
426key_net_get_2_svc_prog(uid, arg)
427	uid_t uid;
428	void *arg;
429{
430	static key_netstres keynetname;
431
432	if (debugging)
433		(void) fprintf(stderr, "net_get(%u) = ", uid);
434
435	keynetname.status = pk_netget(uid, &keynetname.key_netstres_u.knet);
436	if (debugging) {
437		if (keynetname.status == KEY_SUCCESS) {
438			fprintf(stderr, "<%s, %.*s, %.*s>\n",
439			keynetname.key_netstres_u.knet.st_netname,
440			(int)sizeof (keynetname.key_netstres_u.knet.st_pub_key),
441			keynetname.key_netstres_u.knet.st_pub_key,
442			(int)sizeof (keynetname.key_netstres_u.knet.st_priv_key),
443			keynetname.key_netstres_u.knet.st_priv_key);
444		} else {
445			(void) fprintf(stderr, "NOT FOUND\n");
446		}
447		(void) fflush(stderr);
448	}
449
450	return (&keynetname);
451
452}
453
454cryptkeyres *
455key_get_conv_2_svc_prog(uid, arg)
456	uid_t uid;
457	keybuf arg;
458{
459	static cryptkeyres  res;
460
461	if (debugging)
462		(void) fprintf(stderr, "get_conv(%u, %.*s) = ", uid,
463			(int)sizeof (keybuf), arg);
464
465
466	res.status = pk_get_conv_key(uid, arg, &res);
467
468	if (debugging) {
469		if (res.status == KEY_SUCCESS) {
470			(void) fprintf(stderr, "%08x%08x\n",
471				res.cryptkeyres_u.deskey.key.high,
472				res.cryptkeyres_u.deskey.key.low);
473		} else {
474			(void) fprintf(stderr, "%s\n", strstatus(res.status));
475		}
476		(void) fflush(stderr);
477	}
478	return (&res);
479}
480
481
482cryptkeyres *
483key_encrypt_1_svc_prog(uid, arg)
484	uid_t uid;
485	cryptkeyarg *arg;
486{
487	static cryptkeyres res;
488
489	if (debugging) {
490		(void) fprintf(stderr, "encrypt(%u, %s, %08x%08x) = ", uid,
491				arg->remotename, arg->deskey.key.high,
492				arg->deskey.key.low);
493	}
494	res.cryptkeyres_u.deskey = arg->deskey;
495	res.status = pk_encrypt(uid, arg->remotename, NULL,
496				&res.cryptkeyres_u.deskey);
497	if (debugging) {
498		if (res.status == KEY_SUCCESS) {
499			(void) fprintf(stderr, "%08x%08x\n",
500					res.cryptkeyres_u.deskey.key.high,
501					res.cryptkeyres_u.deskey.key.low);
502		} else {
503			(void) fprintf(stderr, "%s\n", strstatus(res.status));
504		}
505		(void) fflush(stderr);
506	}
507	return (&res);
508}
509
510cryptkeyres *
511key_decrypt_1_svc_prog(uid, arg)
512	uid_t uid;
513	cryptkeyarg *arg;
514{
515	static cryptkeyres res;
516
517	if (debugging) {
518		(void) fprintf(stderr, "decrypt(%u, %s, %08x%08x) = ", uid,
519				arg->remotename, arg->deskey.key.high,
520				arg->deskey.key.low);
521	}
522	res.cryptkeyres_u.deskey = arg->deskey;
523	res.status = pk_decrypt(uid, arg->remotename, NULL,
524				&res.cryptkeyres_u.deskey);
525	if (debugging) {
526		if (res.status == KEY_SUCCESS) {
527			(void) fprintf(stderr, "%08x%08x\n",
528					res.cryptkeyres_u.deskey.key.high,
529					res.cryptkeyres_u.deskey.key.low);
530		} else {
531			(void) fprintf(stderr, "%s\n", strstatus(res.status));
532		}
533		(void) fflush(stderr);
534	}
535	return (&res);
536}
537
538/* ARGSUSED */
539des_block *
540key_gen_1_svc_prog(v, s)
541	void	*v;
542	struct svc_req	*s;
543{
544	struct timeval time;
545	static des_block keygen;
546	static des_block key;
547
548	(void)gettimeofday(&time, NULL);
549	keygen.key.high += (time.tv_sec ^ time.tv_usec);
550	keygen.key.low += (time.tv_sec ^ time.tv_usec);
551	ecb_crypt((char *)&masterkey, (char *)&keygen, sizeof (keygen),
552		DES_ENCRYPT | DES_HW);
553	key = keygen;
554	des_setparity((char *)&key);
555	if (debugging) {
556		(void) fprintf(stderr, "gen() = %08x%08x\n", key.key.high,
557					key.key.low);
558		(void) fflush(stderr);
559	}
560	return (&key);
561}
562
563getcredres *
564key_getcred_1_svc_prog(uid, name)
565	uid_t uid;
566	netnamestr *name;
567{
568	static getcredres res;
569	static u_int gids[NGROUPS];
570	struct unixcred *cred;
571
572	cred = &res.getcredres_u.cred;
573	cred->gids.gids_val = gids;
574	if (!netname2user(*name, (uid_t *) &cred->uid, (gid_t *) &cred->gid,
575			(int *)&cred->gids.gids_len, (gid_t *)gids)) {
576		res.status = KEY_UNKNOWN;
577	} else {
578		res.status = KEY_SUCCESS;
579	}
580	if (debugging) {
581		(void) fprintf(stderr, "getcred(%s) = ", *name);
582		if (res.status == KEY_SUCCESS) {
583			(void) fprintf(stderr, "uid=%d, gid=%d, grouplen=%d\n",
584				cred->uid, cred->gid, cred->gids.gids_len);
585		} else {
586			(void) fprintf(stderr, "%s\n", strstatus(res.status));
587		}
588		(void) fflush(stderr);
589	}
590	return (&res);
591}
592
593/*
594 * RPC boilerplate
595 */
596static void
597keyprogram(rqstp, transp)
598	struct svc_req *rqstp;
599	SVCXPRT *transp;
600{
601	union {
602		keybuf key_set_1_arg;
603		cryptkeyarg key_encrypt_1_arg;
604		cryptkeyarg key_decrypt_1_arg;
605		netnamestr key_getcred_1_arg;
606		cryptkeyarg key_encrypt_2_arg;
607		cryptkeyarg key_decrypt_2_arg;
608		netnamestr key_getcred_2_arg;
609		cryptkeyarg2 key_encrypt_pk_2_arg;
610		cryptkeyarg2 key_decrypt_pk_2_arg;
611		key_netstarg key_net_put_2_arg;
612		netobj  key_get_conv_2_arg;
613	} argument;
614	char *result;
615	xdrproc_t xdr_argument, xdr_result;
616	char *(*local) ();
617	uid_t uid = -1;
618	int check_auth;
619
620	switch (rqstp->rq_proc) {
621	case NULLPROC:
622		svc_sendreply(transp, (xdrproc_t)xdr_void, NULL);
623		return;
624
625	case KEY_SET:
626		xdr_argument = (xdrproc_t)xdr_keybuf;
627		xdr_result = (xdrproc_t)xdr_int;
628		local = (char *(*)()) key_set_1_svc_prog;
629		check_auth = 1;
630		break;
631
632	case KEY_ENCRYPT:
633		xdr_argument = (xdrproc_t)xdr_cryptkeyarg;
634		xdr_result = (xdrproc_t)xdr_cryptkeyres;
635		local = (char *(*)()) key_encrypt_1_svc_prog;
636		check_auth = 1;
637		break;
638
639	case KEY_DECRYPT:
640		xdr_argument = (xdrproc_t)xdr_cryptkeyarg;
641		xdr_result = (xdrproc_t)xdr_cryptkeyres;
642		local = (char *(*)()) key_decrypt_1_svc_prog;
643		check_auth = 1;
644		break;
645
646	case KEY_GEN:
647		xdr_argument = (xdrproc_t)xdr_void;
648		xdr_result = (xdrproc_t)xdr_des_block;
649		local = (char *(*)()) key_gen_1_svc_prog;
650		check_auth = 0;
651		break;
652
653	case KEY_GETCRED:
654		xdr_argument = (xdrproc_t)xdr_netnamestr;
655		xdr_result = (xdrproc_t)xdr_getcredres;
656		local = (char *(*)()) key_getcred_1_svc_prog;
657		check_auth = 0;
658		break;
659
660	case KEY_ENCRYPT_PK:
661		xdr_argument = (xdrproc_t)xdr_cryptkeyarg2;
662		xdr_result = (xdrproc_t)xdr_cryptkeyres;
663		local = (char *(*)()) key_encrypt_pk_2_svc_prog;
664		check_auth = 1;
665		break;
666
667	case KEY_DECRYPT_PK:
668		xdr_argument = (xdrproc_t)xdr_cryptkeyarg2;
669		xdr_result = (xdrproc_t)xdr_cryptkeyres;
670		local = (char *(*)()) key_decrypt_pk_2_svc_prog;
671		check_auth = 1;
672		break;
673
674
675	case KEY_NET_PUT:
676		xdr_argument = (xdrproc_t)xdr_key_netstarg;
677		xdr_result = (xdrproc_t)xdr_keystatus;
678		local = (char *(*)()) key_net_put_2_svc_prog;
679		check_auth = 1;
680		break;
681
682	case KEY_NET_GET:
683		xdr_argument = (xdrproc_t) xdr_void;
684		xdr_result = (xdrproc_t)xdr_key_netstres;
685		local = (char *(*)()) key_net_get_2_svc_prog;
686		check_auth = 1;
687		break;
688
689	case KEY_GET_CONV:
690		xdr_argument = (xdrproc_t) xdr_keybuf;
691		xdr_result = (xdrproc_t)xdr_cryptkeyres;
692		local = (char *(*)()) key_get_conv_2_svc_prog;
693		check_auth = 1;
694		break;
695
696	default:
697		svcerr_noproc(transp);
698		return;
699	}
700	if (check_auth) {
701		if (root_auth(transp, rqstp) == 0) {
702			if (debugging) {
703				(void) fprintf(stderr,
704				"not local privileged process\n");
705			}
706			svcerr_weakauth(transp);
707			return;
708		}
709		if (rqstp->rq_cred.oa_flavor != AUTH_SYS) {
710			if (debugging) {
711				(void) fprintf(stderr,
712				"not unix authentication\n");
713			}
714			svcerr_weakauth(transp);
715			return;
716		}
717		uid = ((struct authsys_parms *)rqstp->rq_clntcred)->aup_uid;
718	}
719
720	memset(&argument, 0, sizeof (argument));
721	if (!svc_getargs(transp, xdr_argument, &argument)) {
722		svcerr_decode(transp);
723		return;
724	}
725	result = (*local) (uid, &argument);
726	if (!svc_sendreply(transp, xdr_result, result)) {
727		if (debugging)
728			(void) fprintf(stderr, "unable to reply\n");
729		svcerr_systemerr(transp);
730	}
731	if (!svc_freeargs(transp, xdr_argument, &argument)) {
732		if (debugging)
733			(void) fprintf(stderr,
734			"unable to free arguments\n");
735		exit(1);
736	}
737	return;
738}
739
740static int
741root_auth(trans, rqstp)
742	SVCXPRT *trans;
743	struct svc_req *rqstp;
744{
745	uid_t uid;
746	struct sockaddr *remote;
747
748	remote = svc_getrpccaller(trans)->buf;
749	if (remote->sa_family != AF_UNIX) {
750		if (debugging)
751			fprintf(stderr, "client didn't use AF_UNIX\n");
752		return (0);
753	}
754
755	if (__rpc_get_local_uid(trans, &uid) < 0) {
756		if (debugging)
757			fprintf(stderr, "__rpc_get_local_uid failed\n");
758		return (0);
759	}
760
761	if (debugging)
762		fprintf(stderr, "local_uid  %u\n", uid);
763	if (uid == 0)
764		return (1);
765	if (rqstp->rq_cred.oa_flavor == AUTH_SYS) {
766		if (((uid_t) ((struct authunix_parms *)
767			rqstp->rq_clntcred)->aup_uid)
768			== uid) {
769			return (1);
770		} else {
771			if (debugging)
772				fprintf(stderr,
773			"local_uid  %u mismatches auth %u\n", uid,
774((uid_t) ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid));
775			return (0);
776		}
777	} else {
778		if (debugging)
779			fprintf(stderr, "Not auth sys\n");
780		return (0);
781	}
782}
783
784static void
785usage()
786{
787	(void) fprintf(stderr,
788			"usage: keyserv [-n] [-D] [-d] [-v] [-p path]\n");
789	(void) fprintf(stderr, "-d disables the use of default keys\n");
790	exit(1);
791}
792