1 /* 2 * Copyright (c) 1997 - 2001 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "iprop.h" 35 36 RCSID("$Id: ipropd_slave.c,v 1.24 2001/08/31 03:12:17 assar Exp $"); 37 38 static krb5_log_facility *log_facility; 39 40 static int 41 connect_to_master (krb5_context context, const char *master) 42 { 43 int fd; 44 struct sockaddr_in addr; 45 struct hostent *he; 46 47 fd = socket (AF_INET, SOCK_STREAM, 0); 48 if (fd < 0) 49 krb5_err (context, 1, errno, "socket AF_INET"); 50 memset (&addr, 0, sizeof(addr)); 51 addr.sin_family = AF_INET; 52 addr.sin_port = krb5_getportbyname (context, 53 IPROP_SERVICE, "tcp", IPROP_PORT); 54 he = roken_gethostbyname (master); 55 if (he == NULL) 56 krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno)); 57 memcpy (&addr.sin_addr, he->h_addr, sizeof(addr.sin_addr)); 58 if(connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) 59 krb5_err (context, 1, errno, "connect"); 60 return fd; 61 } 62 63 static void 64 get_creds(krb5_context context, const char *keytab_str, 65 krb5_ccache *cache, const char *host) 66 { 67 krb5_keytab keytab; 68 krb5_principal client; 69 krb5_error_code ret; 70 krb5_get_init_creds_opt init_opts; 71 krb5_creds creds; 72 char *server; 73 char keytab_buf[256]; 74 75 if (keytab_str == NULL) { 76 ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf)); 77 if (ret) 78 krb5_err (context, 1, ret, "krb5_kt_default_name"); 79 keytab_str = keytab_buf; 80 } 81 82 ret = krb5_kt_resolve(context, keytab_str, &keytab); 83 if(ret) 84 krb5_err(context, 1, ret, "%s", keytab_str); 85 86 ret = krb5_sname_to_principal (context, NULL, IPROP_NAME, 87 KRB5_NT_SRV_HST, &client); 88 if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal"); 89 90 krb5_get_init_creds_opt_init(&init_opts); 91 92 asprintf (&server, "%s/%s", IPROP_NAME, host); 93 if (server == NULL) 94 krb5_errx (context, 1, "malloc: no memory"); 95 96 ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 97 0, server, &init_opts); 98 free (server); 99 if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds"); 100 101 ret = krb5_kt_close(context, keytab); 102 if(ret) krb5_err(context, 1, ret, "krb5_kt_close"); 103 104 ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache); 105 if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new"); 106 107 ret = krb5_cc_initialize(context, *cache, client); 108 if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); 109 110 ret = krb5_cc_store_cred(context, *cache, &creds); 111 if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred"); 112 } 113 114 static void 115 ihave (krb5_context context, krb5_auth_context auth_context, 116 int fd, u_int32_t version) 117 { 118 int ret; 119 u_char buf[8]; 120 krb5_storage *sp; 121 krb5_data data, priv_data; 122 123 sp = krb5_storage_from_mem (buf, 8); 124 krb5_store_int32 (sp, I_HAVE); 125 krb5_store_int32 (sp, version); 126 krb5_storage_free (sp); 127 data.length = 8; 128 data.data = buf; 129 130 ret = krb5_mk_priv (context, auth_context, &data, &priv_data, NULL); 131 if (ret) 132 krb5_err (context, 1, ret, "krb_mk_priv"); 133 134 ret = krb5_write_message (context, &fd, &priv_data); 135 if (ret) 136 krb5_err (context, 1, ret, "krb5_write_message"); 137 138 krb5_data_free (&priv_data); 139 } 140 141 static void 142 receive_loop (krb5_context context, 143 krb5_storage *sp, 144 kadm5_server_context *server_context) 145 { 146 int ret; 147 off_t left, right; 148 void *buf; 149 int32_t vers; 150 151 do { 152 int32_t len, timestamp, tmp; 153 enum kadm_ops op; 154 155 if(krb5_ret_int32 (sp, &vers) != 0) 156 return; 157 krb5_ret_int32 (sp, ×tamp); 158 krb5_ret_int32 (sp, &tmp); 159 op = tmp; 160 krb5_ret_int32 (sp, &len); 161 if (vers <= server_context->log_context.version) 162 sp->seek(sp, len, SEEK_CUR); 163 } while(vers <= server_context->log_context.version); 164 165 left = sp->seek (sp, -16, SEEK_CUR); 166 right = sp->seek (sp, 0, SEEK_END); 167 buf = malloc (right - left); 168 if (buf == NULL && (right - left) != 0) { 169 krb5_warnx (context, "malloc: no memory"); 170 return; 171 } 172 sp->seek (sp, left, SEEK_SET); 173 sp->fetch (sp, buf, right - left); 174 write (server_context->log_context.log_fd, buf, right-left); 175 fsync (server_context->log_context.log_fd); 176 free (buf); 177 178 sp->seek (sp, left, SEEK_SET); 179 180 for(;;) { 181 int32_t len, timestamp, tmp; 182 enum kadm_ops op; 183 184 if(krb5_ret_int32 (sp, &vers) != 0) 185 break; 186 krb5_ret_int32 (sp, ×tamp); 187 krb5_ret_int32 (sp, &tmp); 188 op = tmp; 189 krb5_ret_int32 (sp, &len); 190 191 ret = kadm5_log_replay (server_context, 192 op, vers, len, sp); 193 if (ret) 194 krb5_warn (context, ret, "kadm5_log_replay"); 195 else 196 server_context->log_context.version = vers; 197 sp->seek (sp, 8, SEEK_CUR); 198 } 199 } 200 201 static void 202 receive (krb5_context context, 203 krb5_storage *sp, 204 kadm5_server_context *server_context) 205 { 206 int ret; 207 208 ret = server_context->db->open(context, 209 server_context->db, 210 O_RDWR | O_CREAT, 0600); 211 if (ret) 212 krb5_err (context, 1, ret, "db->open"); 213 214 receive_loop (context, sp, server_context); 215 216 ret = server_context->db->close (context, server_context->db); 217 if (ret) 218 krb5_err (context, 1, ret, "db->close"); 219 } 220 221 static void 222 receive_everything (krb5_context context, int fd, 223 kadm5_server_context *server_context, 224 krb5_auth_context auth_context) 225 { 226 int ret; 227 krb5_data data; 228 int32_t vno; 229 int32_t opcode; 230 231 ret = server_context->db->open(context, 232 server_context->db, 233 O_RDWR | O_CREAT | O_TRUNC, 0600); 234 if (ret) 235 krb5_err (context, 1, ret, "db->open"); 236 237 do { 238 krb5_storage *sp; 239 240 ret = krb5_read_priv_message(context, auth_context, &fd, &data); 241 242 if (ret) 243 krb5_err (context, 1, ret, "krb5_read_priv_message"); 244 245 sp = krb5_storage_from_data (&data); 246 krb5_ret_int32 (sp, &opcode); 247 if (opcode == ONE_PRINC) { 248 krb5_data fake_data; 249 hdb_entry entry; 250 251 fake_data.data = (char *)data.data + 4; 252 fake_data.length = data.length - 4; 253 254 ret = hdb_value2entry (context, &fake_data, &entry); 255 if (ret) 256 krb5_err (context, 1, ret, "hdb_value2entry"); 257 ret = server_context->db->store(server_context->context, 258 server_context->db, 259 0, &entry); 260 if (ret) 261 krb5_err (context, 1, ret, "hdb_store"); 262 263 hdb_free_entry (context, &entry); 264 krb5_data_free (&data); 265 } 266 } while (opcode == ONE_PRINC); 267 268 if (opcode != NOW_YOU_HAVE) 269 krb5_errx (context, 1, "receive_everything: strange %d", opcode); 270 271 _krb5_get_int ((char *)data.data + 4, &vno, 4); 272 273 ret = kadm5_log_reinit (server_context); 274 if (ret) 275 krb5_err(context, 1, ret, "kadm5_log_reinit"); 276 277 ret = kadm5_log_set_version (server_context, vno - 1); 278 if (ret) 279 krb5_err (context, 1, ret, "kadm5_log_set_version"); 280 281 ret = kadm5_log_nop (server_context); 282 if (ret) 283 krb5_err (context, 1, ret, "kadm5_log_nop"); 284 285 krb5_data_free (&data); 286 287 ret = server_context->db->close (context, server_context->db); 288 if (ret) 289 krb5_err (context, 1, ret, "db->close"); 290 } 291 292 static char *realm; 293 static int version_flag; 294 static int help_flag; 295 static char *keytab_str; 296 297 static struct getargs args[] = { 298 { "realm", 'r', arg_string, &realm }, 299 { "keytab", 'k', arg_string, &keytab_str, 300 "keytab to get authentication from", "kspec" }, 301 { "version", 0, arg_flag, &version_flag }, 302 { "help", 0, arg_flag, &help_flag } 303 }; 304 305 static int num_args = sizeof(args) / sizeof(args[0]); 306 307 static void 308 usage (int code, struct getargs *args, int num_args) 309 { 310 arg_printusage (args, num_args, NULL, "master"); 311 exit (code); 312 } 313 314 int 315 main(int argc, char **argv) 316 { 317 krb5_error_code ret; 318 krb5_context context; 319 krb5_auth_context auth_context; 320 void *kadm_handle; 321 kadm5_server_context *server_context; 322 kadm5_config_params conf; 323 int master_fd; 324 krb5_ccache ccache; 325 krb5_principal server; 326 327 int optind; 328 const char *master; 329 330 optind = krb5_program_setup(&context, argc, argv, args, num_args, usage); 331 332 if(help_flag) 333 usage (0, args, num_args); 334 if(version_flag) { 335 print_version(NULL); 336 exit(0); 337 } 338 339 argc -= optind; 340 argv += optind; 341 342 if (argc != 1) 343 usage (1, args, num_args); 344 345 master = argv[0]; 346 347 pidfile (NULL); 348 krb5_openlog (context, "ipropd-slave", &log_facility); 349 krb5_set_warn_dest(context, log_facility); 350 351 ret = krb5_kt_register(context, &hdb_kt_ops); 352 if(ret) 353 krb5_err(context, 1, ret, "krb5_kt_register"); 354 355 memset(&conf, 0, sizeof(conf)); 356 if(realm) { 357 conf.mask |= KADM5_CONFIG_REALM; 358 conf.realm = realm; 359 } 360 ret = kadm5_init_with_password_ctx (context, 361 KADM5_ADMIN_SERVICE, 362 NULL, 363 KADM5_ADMIN_SERVICE, 364 &conf, 0, 0, 365 &kadm_handle); 366 if (ret) 367 krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); 368 369 server_context = (kadm5_server_context *)kadm_handle; 370 371 ret = kadm5_log_init (server_context); 372 if (ret) 373 krb5_err (context, 1, ret, "kadm5_log_init"); 374 375 get_creds(context, keytab_str, &ccache, master); 376 377 master_fd = connect_to_master (context, master); 378 379 ret = krb5_sname_to_principal (context, master, IPROP_NAME, 380 KRB5_NT_SRV_HST, &server); 381 if (ret) 382 krb5_err (context, 1, ret, "krb5_sname_to_principal"); 383 384 auth_context = NULL; 385 ret = krb5_sendauth (context, &auth_context, &master_fd, 386 IPROP_VERSION, NULL, server, 387 AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, 388 ccache, NULL, NULL, NULL); 389 if (ret) 390 krb5_err (context, 1, ret, "krb5_sendauth"); 391 392 ihave (context, auth_context, master_fd, 393 server_context->log_context.version); 394 395 for (;;) { 396 int ret; 397 krb5_data out; 398 krb5_storage *sp; 399 int32_t tmp; 400 401 ret = krb5_read_priv_message(context, auth_context, &master_fd, &out); 402 403 if (ret) 404 krb5_err (context, 1, ret, "krb5_read_priv_message"); 405 406 sp = krb5_storage_from_mem (out.data, out.length); 407 krb5_ret_int32 (sp, &tmp); 408 switch (tmp) { 409 case FOR_YOU : 410 receive (context, sp, server_context); 411 ihave (context, auth_context, master_fd, 412 server_context->log_context.version); 413 break; 414 case TELL_YOU_EVERYTHING : 415 receive_everything (context, master_fd, server_context, 416 auth_context); 417 break; 418 case NOW_YOU_HAVE : 419 case I_HAVE : 420 case ONE_PRINC : 421 default : 422 krb5_warnx (context, "Ignoring command %d", tmp); 423 break; 424 } 425 krb5_storage_free (sp); 426 krb5_data_free (&out); 427 } 428 429 return 0; 430 } 431