ipropd_slave.c revision 102644
1196200Sscottl/* 2196200Sscottl * Copyright (c) 1997 - 2002 Kungliga Tekniska H�gskolan 3196200Sscottl * (Royal Institute of Technology, Stockholm, Sweden). 4196200Sscottl * All rights reserved. 5196200Sscottl * 6196280Sscottl * Redistribution and use in source and binary forms, with or without 7196200Sscottl * modification, are permitted provided that the following conditions 8196200Sscottl * are met: 9196200Sscottl * 10196200Sscottl * 1. Redistributions of source code must retain the above copyright 11204329Sru * notice, this list of conditions and the following disclaimer. 12196200Sscottl * 13196200Sscottl * 2. Redistributions in binary form must reproduce the above copyright 14196200Sscottl * notice, this list of conditions and the following disclaimer in the 15196200Sscottl * documentation and/or other materials provided with the distribution. 16196200Sscottl * 17196200Sscottl * 3. Neither the name of the Institute nor the names of its contributors 18196200Sscottl * may be used to endorse or promote products derived from this software 19196200Sscottl * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "iprop.h" 35 36RCSID("$Id: ipropd_slave.c,v 1.26 2002/08/26 13:29:37 assar Exp $"); 37 38static krb5_log_facility *log_facility; 39 40static int 41connect_to_master (krb5_context context, const char *master) 42{ 43 int fd; 44 struct sockaddr_in addr; 45 struct hostent *he; 46 47 fd = socket (AF_INET, SOCK_STREAM, 0); 48 if (fd < 0) 49 krb5_err (context, 1, errno, "socket AF_INET"); 50 memset (&addr, 0, sizeof(addr)); 51 addr.sin_family = AF_INET; 52 addr.sin_port = krb5_getportbyname (context, 53 IPROP_SERVICE, "tcp", IPROP_PORT); 54 he = roken_gethostbyname (master); 55 if (he == NULL) 56 krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno)); 57 memcpy (&addr.sin_addr, he->h_addr, sizeof(addr.sin_addr)); 58 if(connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) 59 krb5_err (context, 1, errno, "connect"); 60 return fd; 61} 62 63static void 64get_creds(krb5_context context, const char *keytab_str, 65 krb5_ccache *cache, const char *host) 66{ 67 krb5_keytab keytab; 68 krb5_principal client; 69 krb5_error_code ret; 70 krb5_get_init_creds_opt init_opts; 71 krb5_creds creds; 72 char *server; 73 char keytab_buf[256]; 74 75 if (keytab_str == NULL) { 76 ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf)); 77 if (ret) 78 krb5_err (context, 1, ret, "krb5_kt_default_name"); 79 keytab_str = keytab_buf; 80 } 81 82 ret = krb5_kt_resolve(context, keytab_str, &keytab); 83 if(ret) 84 krb5_err(context, 1, ret, "%s", keytab_str); 85 86 ret = krb5_sname_to_principal (context, NULL, IPROP_NAME, 87 KRB5_NT_SRV_HST, &client); 88 if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal"); 89 90 krb5_get_init_creds_opt_init(&init_opts); 91 92 asprintf (&server, "%s/%s", IPROP_NAME, host); 93 if (server == NULL) 94 krb5_errx (context, 1, "malloc: no memory"); 95 96 ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 97 0, server, &init_opts); 98 free (server); 99 if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds"); 100 101 ret = krb5_kt_close(context, keytab); 102 if(ret) krb5_err(context, 1, ret, "krb5_kt_close"); 103 104 ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache); 105 if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new"); 106 107 ret = krb5_cc_initialize(context, *cache, client); 108 if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); 109 110 ret = krb5_cc_store_cred(context, *cache, &creds); 111 if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred"); 112} 113 114static void 115ihave (krb5_context context, krb5_auth_context auth_context, 116 int fd, u_int32_t version) 117{ 118 int ret; 119 u_char buf[8]; 120 krb5_storage *sp; 121 krb5_data data, priv_data; 122 123 sp = krb5_storage_from_mem (buf, 8); 124 krb5_store_int32 (sp, I_HAVE); 125 krb5_store_int32 (sp, version); 126 krb5_storage_free (sp); 127 data.length = 8; 128 data.data = buf; 129 130 ret = krb5_mk_priv (context, auth_context, &data, &priv_data, NULL); 131 if (ret) 132 krb5_err (context, 1, ret, "krb_mk_priv"); 133 134 ret = krb5_write_message (context, &fd, &priv_data); 135 if (ret) 136 krb5_err (context, 1, ret, "krb5_write_message"); 137 138 krb5_data_free (&priv_data); 139} 140 141static void 142receive_loop (krb5_context context, 143 krb5_storage *sp, 144 kadm5_server_context *server_context) 145{ 146 int ret; 147 off_t left, right; 148 void *buf; 149 int32_t vers; 150 151 do { 152 int32_t len, timestamp, tmp; 153 enum kadm_ops op; 154 155 if(krb5_ret_int32 (sp, &vers) != 0) 156 return; 157 krb5_ret_int32 (sp, ×tamp); 158 krb5_ret_int32 (sp, &tmp); 159 op = tmp; 160 krb5_ret_int32 (sp, &len); 161 if (vers <= server_context->log_context.version) 162 krb5_storage_seek(sp, len, SEEK_CUR); 163 } while(vers <= server_context->log_context.version); 164 165 left = krb5_storage_seek (sp, -16, SEEK_CUR); 166 right = krb5_storage_seek (sp, 0, SEEK_END); 167 buf = malloc (right - left); 168 if (buf == NULL && (right - left) != 0) { 169 krb5_warnx (context, "malloc: no memory"); 170 return; 171 } 172 krb5_storage_seek (sp, left, SEEK_SET); 173 krb5_storage_read (sp, buf, right - left); 174 write (server_context->log_context.log_fd, buf, right-left); 175 fsync (server_context->log_context.log_fd); 176 free (buf); 177 178 krb5_storage_seek (sp, left, SEEK_SET); 179 180 for(;;) { 181 int32_t len, timestamp, tmp; 182 enum kadm_ops op; 183 184 if(krb5_ret_int32 (sp, &vers) != 0) 185 break; 186 krb5_ret_int32 (sp, ×tamp); 187 krb5_ret_int32 (sp, &tmp); 188 op = tmp; 189 krb5_ret_int32 (sp, &len); 190 191 ret = kadm5_log_replay (server_context, 192 op, vers, len, sp); 193 if (ret) 194 krb5_warn (context, ret, "kadm5_log_replay"); 195 else 196 server_context->log_context.version = vers; 197 krb5_storage_seek (sp, 8, SEEK_CUR); 198 } 199} 200 201static void 202receive (krb5_context context, 203 krb5_storage *sp, 204 kadm5_server_context *server_context) 205{ 206 int ret; 207 208 ret = server_context->db->open(context, 209 server_context->db, 210 O_RDWR | O_CREAT, 0600); 211 if (ret) 212 krb5_err (context, 1, ret, "db->open"); 213 214 receive_loop (context, sp, server_context); 215 216 ret = server_context->db->close (context, server_context->db); 217 if (ret) 218 krb5_err (context, 1, ret, "db->close"); 219} 220 221static void 222receive_everything (krb5_context context, int fd, 223 kadm5_server_context *server_context, 224 krb5_auth_context auth_context) 225{ 226 int ret; 227 krb5_data data; 228 int32_t vno; 229 int32_t opcode; 230 unsigned long tmp; 231 232 ret = server_context->db->open(context, 233 server_context->db, 234 O_RDWR | O_CREAT | O_TRUNC, 0600); 235 if (ret) 236 krb5_err (context, 1, ret, "db->open"); 237 238 do { 239 krb5_storage *sp; 240 241 ret = krb5_read_priv_message(context, auth_context, &fd, &data); 242 243 if (ret) 244 krb5_err (context, 1, ret, "krb5_read_priv_message"); 245 246 sp = krb5_storage_from_data (&data); 247 krb5_ret_int32 (sp, &opcode); 248 if (opcode == ONE_PRINC) { 249 krb5_data fake_data; 250 hdb_entry entry; 251 252 fake_data.data = (char *)data.data + 4; 253 fake_data.length = data.length - 4; 254 255 ret = hdb_value2entry (context, &fake_data, &entry); 256 if (ret) 257 krb5_err (context, 1, ret, "hdb_value2entry"); 258 ret = server_context->db->store(server_context->context, 259 server_context->db, 260 0, &entry); 261 if (ret) 262 krb5_err (context, 1, ret, "hdb_store"); 263 264 hdb_free_entry (context, &entry); 265 krb5_data_free (&data); 266 } 267 } while (opcode == ONE_PRINC); 268 269 if (opcode != NOW_YOU_HAVE) 270 krb5_errx (context, 1, "receive_everything: strange %d", opcode); 271 272 _krb5_get_int ((char *)data.data + 4, &tmp, 4); 273 vno = tmp; 274 275 ret = kadm5_log_reinit (server_context); 276 if (ret) 277 krb5_err(context, 1, ret, "kadm5_log_reinit"); 278 279 ret = kadm5_log_set_version (server_context, vno - 1); 280 if (ret) 281 krb5_err (context, 1, ret, "kadm5_log_set_version"); 282 283 ret = kadm5_log_nop (server_context); 284 if (ret) 285 krb5_err (context, 1, ret, "kadm5_log_nop"); 286 287 krb5_data_free (&data); 288 289 ret = server_context->db->close (context, server_context->db); 290 if (ret) 291 krb5_err (context, 1, ret, "db->close"); 292} 293 294static char *realm; 295static int version_flag; 296static int help_flag; 297static char *keytab_str; 298 299static struct getargs args[] = { 300 { "realm", 'r', arg_string, &realm }, 301 { "keytab", 'k', arg_string, &keytab_str, 302 "keytab to get authentication from", "kspec" }, 303 { "version", 0, arg_flag, &version_flag }, 304 { "help", 0, arg_flag, &help_flag } 305}; 306 307static int num_args = sizeof(args) / sizeof(args[0]); 308 309static void 310usage (int code, struct getargs *args, int num_args) 311{ 312 arg_printusage (args, num_args, NULL, "master"); 313 exit (code); 314} 315 316int 317main(int argc, char **argv) 318{ 319 krb5_error_code ret; 320 krb5_context context; 321 krb5_auth_context auth_context; 322 void *kadm_handle; 323 kadm5_server_context *server_context; 324 kadm5_config_params conf; 325 int master_fd; 326 krb5_ccache ccache; 327 krb5_principal server; 328 329 int optind; 330 const char *master; 331 332 optind = krb5_program_setup(&context, argc, argv, args, num_args, usage); 333 334 if(help_flag) 335 usage (0, args, num_args); 336 if(version_flag) { 337 print_version(NULL); 338 exit(0); 339 } 340 341 argc -= optind; 342 argv += optind; 343 344 if (argc != 1) 345 usage (1, args, num_args); 346 347 master = argv[0]; 348 349 pidfile (NULL); 350 krb5_openlog (context, "ipropd-slave", &log_facility); 351 krb5_set_warn_dest(context, log_facility); 352 353 ret = krb5_kt_register(context, &hdb_kt_ops); 354 if(ret) 355 krb5_err(context, 1, ret, "krb5_kt_register"); 356 357 memset(&conf, 0, sizeof(conf)); 358 if(realm) { 359 conf.mask |= KADM5_CONFIG_REALM; 360 conf.realm = realm; 361 } 362 ret = kadm5_init_with_password_ctx (context, 363 KADM5_ADMIN_SERVICE, 364 NULL, 365 KADM5_ADMIN_SERVICE, 366 &conf, 0, 0, 367 &kadm_handle); 368 if (ret) 369 krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); 370 371 server_context = (kadm5_server_context *)kadm_handle; 372 373 ret = kadm5_log_init (server_context); 374 if (ret) 375 krb5_err (context, 1, ret, "kadm5_log_init"); 376 377 get_creds(context, keytab_str, &ccache, master); 378 379 master_fd = connect_to_master (context, master); 380 381 ret = krb5_sname_to_principal (context, master, IPROP_NAME, 382 KRB5_NT_SRV_HST, &server); 383 if (ret) 384 krb5_err (context, 1, ret, "krb5_sname_to_principal"); 385 386 auth_context = NULL; 387 ret = krb5_sendauth (context, &auth_context, &master_fd, 388 IPROP_VERSION, NULL, server, 389 AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, 390 ccache, NULL, NULL, NULL); 391 if (ret) 392 krb5_err (context, 1, ret, "krb5_sendauth"); 393 394 ihave (context, auth_context, master_fd, 395 server_context->log_context.version); 396 397 for (;;) { 398 int ret; 399 krb5_data out; 400 krb5_storage *sp; 401 int32_t tmp; 402 403 ret = krb5_read_priv_message(context, auth_context, &master_fd, &out); 404 405 if (ret) 406 krb5_err (context, 1, ret, "krb5_read_priv_message"); 407 408 sp = krb5_storage_from_mem (out.data, out.length); 409 krb5_ret_int32 (sp, &tmp); 410 switch (tmp) { 411 case FOR_YOU : 412 receive (context, sp, server_context); 413 ihave (context, auth_context, master_fd, 414 server_context->log_context.version); 415 break; 416 case TELL_YOU_EVERYTHING : 417 receive_everything (context, master_fd, server_context, 418 auth_context); 419 break; 420 case NOW_YOU_HAVE : 421 case I_HAVE : 422 case ONE_PRINC : 423 default : 424 krb5_warnx (context, "Ignoring command %d", tmp); 425 break; 426 } 427 krb5_storage_free (sp); 428 krb5_data_free (&out); 429 } 430 431 return 0; 432} 433