search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / heimdal / lib / kadm5 / ipropd_slave.c
blob2d0cb77361434900405e0c214fd063fbd5e1119c
1 /*
2 * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "iprop.h"
35
36 __RCSID("$Heimdal: ipropd_slave.c 22211 2007-12-07 19:27:27Z lha $"
37 "$NetBSD: ipropd_slave.c,v 1.2 2008/03/22 08:37:12 mlelstv Exp $");
38
39 static krb5_log_facility *log_facility;
40 static char *server_time_lost = "5 min";
41 static int time_before_lost;
42 const char *slave_str = NULL;
43
44 static int
45 connect_to_master (krb5_context context, const char *master,
46 const char *port_str)
47 {
48 int fd;
49 struct sockaddr_in addr;
50 struct hostent *he;
51
52 fd = socket (AF_INET, SOCK_STREAM, 0);
53 if (fd < 0)
54 krb5_err (context, 1, errno, "socket AF_INET");
55 memset (&addr, 0, sizeof(addr));
56 addr.sin_family = AF_INET;
57 if (port_str) {
58 addr.sin_port = krb5_getportbyname (context,
59 port_str, "tcp",
60 0);
61 if (addr.sin_port == 0) {
62 char *ptr;
63 long port;
64
65 port = strtol (port_str, &ptr, 10);
66 if (port == 0 && ptr == port_str)
67 krb5_errx (context, 1, "bad port `%s'", port_str);
68 addr.sin_port = htons(port);
69 }
70 } else {
71 addr.sin_port = krb5_getportbyname (context, IPROP_SERVICE,
72 "tcp", IPROP_PORT);
73 }
74 he = roken_gethostbyname (master);
75 if (he == NULL)
76 krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno));
77 memcpy (&addr.sin_addr, he->h_addr, sizeof(addr.sin_addr));
78 if(connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
79 krb5_err (context, 1, errno, "connect");
80 return fd;
81 }
82
83 static void
84 get_creds(krb5_context context, const char *keytab_str,
85 krb5_ccache *cache, const char *serverhost)
86 {
87 krb5_keytab keytab;
88 krb5_principal client;
89 krb5_error_code ret;
90 krb5_get_init_creds_opt *init_opts;
91 krb5_creds creds;
92 char *server;
93 char keytab_buf[256];
94
95 if (keytab_str == NULL) {
96 ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf));
97 if (ret)
98 krb5_err (context, 1, ret, "krb5_kt_default_name");
99 keytab_str = keytab_buf;
100 }
101
102 ret = krb5_kt_resolve(context, keytab_str, &keytab);
103 if(ret)
104 krb5_err(context, 1, ret, "%s", keytab_str);
105
106
107 ret = krb5_sname_to_principal (context, slave_str, IPROP_NAME,
108 KRB5_NT_SRV_HST, &client);
109 if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal");
110
111 ret = krb5_get_init_creds_opt_alloc(context, &init_opts);
112 if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
113
114 asprintf (&server, "%s/%s", IPROP_NAME, serverhost);
115 if (server == NULL)
116 krb5_errx (context, 1, "malloc: no memory");
117
118 ret = krb5_get_init_creds_keytab(context, &creds, client, keytab,
119 0, server, init_opts);
120 free (server);
121 krb5_get_init_creds_opt_free(context, init_opts);
122 if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
123
124 ret = krb5_kt_close(context, keytab);
125 if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
126
127 ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache);
128 if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new");
129
130 ret = krb5_cc_initialize(context, *cache, client);
131 if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize");
132
133 ret = krb5_cc_store_cred(context, *cache, &creds);
134 if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
135 }
136
137 static void
138 ihave (krb5_context context, krb5_auth_context auth_context,
139 int fd, uint32_t version)
140 {
141 int ret;
142 u_char buf[8];
143 krb5_storage *sp;
144 krb5_data data;
145
146 sp = krb5_storage_from_mem (buf, 8);
147 krb5_store_int32 (sp, I_HAVE);
148 krb5_store_int32 (sp, version);
149 krb5_storage_free (sp);
150 data.length = 8;
151 data.data = buf;
152
153 ret = krb5_write_priv_message(context, auth_context, &fd, &data);
154 if (ret)
155 krb5_err (context, 1, ret, "krb5_write_priv_message");
156 }
157
158 static void
159 receive_loop (krb5_context context,
160 krb5_storage *sp,
161 kadm5_server_context *server_context)
162 {
163 int ret;
164 off_t left, right;
165 void *buf;
166 int32_t vers, vers2;
167 ssize_t sret;
168
169 /*
170 * Seek to the current version of the local database.
171 */
172 do {
173 int32_t len, timestamp, tmp;
174 enum kadm_ops op;
175
176 if(krb5_ret_int32 (sp, &vers) != 0)
177 return;
178 krb5_ret_int32 (sp, &timestamp);
179 krb5_ret_int32 (sp, &tmp);
180 op = tmp;
181 krb5_ret_int32 (sp, &len);
182 if (vers <= server_context->log_context.version)
183 krb5_storage_seek(sp, len + 8, SEEK_CUR);
184 } while(vers <= server_context->log_context.version);
185
186 /*
187 * Read up rest of the entires into the memory...
188 */
189 left = krb5_storage_seek (sp, -16, SEEK_CUR);
190 right = krb5_storage_seek (sp, 0, SEEK_END);
191 buf = malloc (right - left);
192 if (buf == NULL && (right - left) != 0)
193 krb5_errx (context, 1, "malloc: no memory");
194
195 /*
196 * ...and then write them out to the on-disk log.
197 */
198 krb5_storage_seek (sp, left, SEEK_SET);
199 krb5_storage_read (sp, buf, right - left);
200 sret = write (server_context->log_context.log_fd, buf, right-left);
201 if (sret != right - left)
202 krb5_err(context, 1, errno, "Failed to write log to disk");
203 ret = fsync (server_context->log_context.log_fd);
204 if (ret)
205 krb5_err(context, 1, errno, "Failed to sync log to disk");
206 free (buf);
207
208 /*
209 * Go back to the startpoint and start to commit the entires to
210 * the database.
211 */
212 krb5_storage_seek (sp, left, SEEK_SET);
213
214 for(;;) {
215 int32_t len, len2, timestamp, tmp;
216 off_t cur, cur2;
217 enum kadm_ops op;
218
219 if(krb5_ret_int32 (sp, &vers) != 0)
220 break;
221 ret = krb5_ret_int32 (sp, &timestamp);
222 if (ret) krb5_errx(context, 1, "entry %ld: too short", (long)vers);
223 ret = krb5_ret_int32 (sp, &tmp);
224 if (ret) krb5_errx(context, 1, "entry %ld: too short", (long)vers);
225 op = tmp;
226 ret = krb5_ret_int32 (sp, &len);
227 if (ret) krb5_errx(context, 1, "entry %ld: too short", (long)vers);
228 if (len < 0)
229 krb5_errx(context, 1, "log is corrupted, "
230 "negative length of entry version %ld: %ld",
231 (long)vers, (long)len);
232 cur = krb5_storage_seek(sp, 0, SEEK_CUR);
233
234 krb5_warnx (context, "replaying entry %d", (int)vers);
235
236 ret = kadm5_log_replay (server_context,
237 op, vers, len, sp);
238 if (ret) {
239 char *s = krb5_get_error_message(server_context->context, ret);
240 krb5_warnx (context,
241 "kadm5_log_replay: %ld. Lost entry entry, "
242 "Database out of sync ?: %s (%d)",
243 (long)vers, s ? s : "unknown error", ret);
244 krb5_xfree(s);
245 }
246
247 {
248 /*
249 * Make sure the krb5_log_replay does the right thing wrt
250 * reading out data from the sp.
251 */
252 cur2 = krb5_storage_seek(sp, 0, SEEK_CUR);
253 if (cur + len != cur2)
254 krb5_errx(context, 1,
255 "kadm5_log_reply version: %ld didn't read the whole entry",
256 (long)vers);
257 }
258
259 if (krb5_ret_int32 (sp, &len2) != 0)
260 krb5_errx(context, 1, "entry %ld: postamble too short", (long)vers);
261 if(krb5_ret_int32 (sp, &vers2) != 0)
262 krb5_errx(context, 1, "entry %ld: postamble too short", (long)vers);
263
264 if (len != len2)
265 krb5_errx(context, 1, "entry %ld: len != len2", (long)vers);
266 if (vers != vers2)
267 krb5_errx(context, 1, "entry %ld: vers != vers2", (long)vers);
268 }
269
270 /*
271 * Update version
272 */
273
274 server_context->log_context.version = vers;
275 }
276
277 static void
278 receive (krb5_context context,
279 krb5_storage *sp,
280 kadm5_server_context *server_context)
281 {
282 int ret;
283
284 ret = server_context->db->hdb_open(context,
285 server_context->db,
286 O_RDWR | O_CREAT, 0600);
287 if (ret)
288 krb5_err (context, 1, ret, "db->open");
289
290 receive_loop (context, sp, server_context);
291
292 ret = server_context->db->hdb_close (context, server_context->db);
293 if (ret)
294 krb5_err (context, 1, ret, "db->close");
295 }
296
297 static void
298 send_im_here (krb5_context context, int fd,
299 krb5_auth_context auth_context)
300 {
301 krb5_storage *sp;
302 krb5_data data;
303 int ret;
304
305 ret = krb5_data_alloc (&data, 4);
306 if (ret)
307 krb5_err (context, 1, ret, "send_im_here");
308
309 sp = krb5_storage_from_data (&data);
310 if (sp == NULL)
311 krb5_errx (context, 1, "krb5_storage_from_data");
312 krb5_store_int32(sp, I_AM_HERE);
313 krb5_storage_free(sp);
314
315 ret = krb5_write_priv_message(context, auth_context, &fd, &data);
316 krb5_data_free(&data);
317
318 if (ret)
319 krb5_err (context, 1, ret, "krb5_write_priv_message");
320 }
321
322 static void
323 receive_everything (krb5_context context, int fd,
324 kadm5_server_context *server_context,
325 krb5_auth_context auth_context)
326 {
327 int ret;
328 krb5_data data;
329 int32_t vno;
330 int32_t opcode;
331 krb5_storage *sp;
332
333 char *dbname;
334 HDB *mydb;
335
336 krb5_warnx(context, "receive complete database");
337
338 asprintf(&dbname, "%s-NEW", server_context->db->hdb_name);
339 ret = hdb_create(context, &mydb, dbname);
340 if(ret)
341 krb5_err(context,1, ret, "hdb_create");
342 free(dbname);
343
344 ret = hdb_set_master_keyfile (context,
345 mydb, server_context->config.stash_file);
346 if(ret)
347 krb5_err(context,1, ret, "hdb_set_master_keyfile");
348
349 /* I really want to use O_EXCL here, but given that I can't easily clean
350 up on error, I won't */
351 ret = mydb->hdb_open(context, mydb, O_RDWR | O_CREAT | O_TRUNC, 0600);
352 if (ret)
353 krb5_err (context, 1, ret, "db->open");
354
355 sp = NULL;
356 do {
357 ret = krb5_read_priv_message(context, auth_context, &fd, &data);
358
359 if (ret)
360 krb5_err (context, 1, ret, "krb5_read_priv_message");
361
362 sp = krb5_storage_from_data (&data);
363 if (sp == NULL)
364 krb5_errx (context, 1, "krb5_storage_from_data");
365 krb5_ret_int32 (sp, &opcode);
366 if (opcode == ONE_PRINC) {
367 krb5_data fake_data;
368 hdb_entry_ex entry;
369
370 krb5_storage_free(sp);
371
372 fake_data.data = (char *)data.data + 4;
373 fake_data.length = data.length - 4;
374
375 memset(&entry, 0, sizeof(entry));
376
377 ret = hdb_value2entry (context, &fake_data, &entry.entry);
378 if (ret)
379 krb5_err (context, 1, ret, "hdb_value2entry");
380 ret = mydb->hdb_store(server_context->context,
381 mydb,
382 0, &entry);
383 if (ret)
384 krb5_err (context, 1, ret, "hdb_store");
385
386 hdb_free_entry (context, &entry);
387 krb5_data_free (&data);
388 } else if (opcode == NOW_YOU_HAVE)
389 ;
390 else
391 krb5_errx (context, 1, "strange opcode %d", opcode);
392 } while (opcode == ONE_PRINC);
393
394 if (opcode != NOW_YOU_HAVE)
395 krb5_errx (context, 1, "receive_everything: strange %d", opcode);
396
397 krb5_ret_int32 (sp, &vno);
398 krb5_storage_free(sp);
399
400 ret = kadm5_log_reinit (server_context);
401 if (ret)
402 krb5_err(context, 1, ret, "kadm5_log_reinit");
403
404 ret = kadm5_log_set_version (server_context, vno - 1);
405 if (ret)
406 krb5_err (context, 1, ret, "kadm5_log_set_version");
407
408 ret = kadm5_log_nop (server_context);
409 if (ret)
410 krb5_err (context, 1, ret, "kadm5_log_nop");
411
412 krb5_data_free (&data);
413
414 ret = mydb->hdb_rename (context, mydb, server_context->db->hdb_name);
415 if (ret)
416 krb5_err (context, 1, ret, "db->rename");
417
418 ret = mydb->hdb_close (context, mydb);
419 if (ret)
420 krb5_err (context, 1, ret, "db->close");
421
422 ret = mydb->hdb_destroy (context, mydb);
423 if (ret)
424 krb5_err (context, 1, ret, "db->destroy");
425
426 krb5_warnx(context, "receive complete database, version %ld", (long)vno);
427 }
428
429 static char *config_file;
430 static char *realm;
431 static int version_flag;
432 static int help_flag;
433 static char *keytab_str;
434 static char *port_str;
435 static int detach_from_console = 0;
436
437 static struct getargs args[] = {
438 { "config-file", 'c', arg_string, &config_file },
439 { "realm", 'r', arg_string, &realm },
440 { "keytab", 'k', arg_string, &keytab_str,
441 "keytab to get authentication from", "kspec" },
442 { "time-lost", 0, arg_string, &server_time_lost,
443 "time before server is considered lost", "time" },
444 { "port", 0, arg_string, &port_str,
445 "port ipropd-slave will connect to", "port"},
446 { "detach", 0, arg_flag, &detach_from_console,
447 "detach from console" },
448 { "hostname", 0, arg_string, &slave_str,
449 "hostname of slave (if not same as hostname)", "hostname" },
450 { "version", 0, arg_flag, &version_flag },
451 { "help", 0, arg_flag, &help_flag }
452 };
453
454 static int num_args = sizeof(args) / sizeof(args[0]);
455
456 int
457 main(int argc, char **argv)
458 {
459 krb5_error_code ret;
460 krb5_context context;
461 krb5_auth_context auth_context;
462 void *kadm_handle;
463 kadm5_server_context *server_context;
464 kadm5_config_params conf;
465 int master_fd;
466 krb5_ccache ccache;
467 krb5_principal server;
468 char **files;
469 int optidx;
470
471 const char *master;
472
473 optidx = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
474
475 if(help_flag)
476 krb5_std_usage(0, args, num_args);
477 if(version_flag) {
478 print_version(NULL);
479 exit(0);
480 }
481
482 setup_signal();
483
484 if (config_file == NULL) {
485 asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
486 if (config_file == NULL)
487 errx(1, "out of memory");
488 }
489
490 ret = krb5_prepend_config_files_default(config_file, &files);
491 if (ret)
492 krb5_err(context, 1, ret, "getting configuration files");
493
494 ret = krb5_set_config_files(context, files);
495 krb5_free_config_files(files);
496 if (ret)
497 krb5_err(context, 1, ret, "reading configuration files");
498
499 argc -= optidx;
500 argv += optidx;
501
502 if (argc != 1)
503 krb5_std_usage(1, args, num_args);
504
505 master = argv[0];
506
507 if (detach_from_console)
508 daemon(0, 0);
509 pidfile (NULL);
510 krb5_openlog (context, "ipropd-slave", &log_facility);
511 krb5_set_warn_dest(context, log_facility);
512
513 ret = krb5_kt_register(context, &hdb_kt_ops);
514 if(ret)
515 krb5_err(context, 1, ret, "krb5_kt_register");
516
517 time_before_lost = parse_time (server_time_lost, "s");
518 if (time_before_lost < 0)
519 krb5_errx (context, 1, "couldn't parse time: %s", server_time_lost);
520
521 memset(&conf, 0, sizeof(conf));
522 if(realm) {
523 conf.mask |= KADM5_CONFIG_REALM;
524 conf.realm = realm;
525 }
526 ret = kadm5_init_with_password_ctx (context,
527 KADM5_ADMIN_SERVICE,
528 NULL,
529 KADM5_ADMIN_SERVICE,
530 &conf, 0, 0,
531 &kadm_handle);
532 if (ret)
533 krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
534
535 server_context = (kadm5_server_context *)kadm_handle;
536
537 ret = kadm5_log_init (server_context);
538 if (ret)
539 krb5_err (context, 1, ret, "kadm5_log_init");
540
541 get_creds(context, keytab_str, &ccache, master);
542
543 master_fd = connect_to_master (context, master, port_str);
544
545 ret = krb5_sname_to_principal (context, master, IPROP_NAME,
546 KRB5_NT_SRV_HST, &server);
547 if (ret)
548 krb5_err (context, 1, ret, "krb5_sname_to_principal");
549
550 auth_context = NULL;
551 ret = krb5_sendauth (context, &auth_context, &master_fd,
552 IPROP_VERSION, NULL, server,
553 AP_OPTS_MUTUAL_REQUIRED, NULL, NULL,
554 ccache, NULL, NULL, NULL);
555 if (ret)
556 krb5_err (context, 1, ret, "krb5_sendauth");
557
558 krb5_warnx(context, "ipropd-slave started at version: %ld",
559 (long)server_context->log_context.version);
560
561 ihave (context, auth_context, master_fd,
562 server_context->log_context.version);
563
564 while (exit_flag == 0) {
565 krb5_data out;
566 krb5_storage *sp;
567 int32_t tmp;
568 fd_set readset;
569 struct timeval to;
570
571 if (master_fd >= FD_SETSIZE)
572 krb5_errx (context, 1, "fd too large");
573
574 FD_ZERO(&readset);
575 FD_SET(master_fd, &readset);
576
577 to.tv_sec = time_before_lost;
578 to.tv_usec = 0;
579
580 ret = select (master_fd + 1,
581 &readset, NULL, NULL, &to);
582 if (ret < 0) {
583 if (errno == EINTR)
584 continue;
585 else
586 krb5_err (context, 1, errno, "select");
587 }
588 if (ret == 0)
589 krb5_errx (context, 1, "server didn't send a message "
590 "in %d seconds", time_before_lost);
591
592 ret = krb5_read_priv_message(context, auth_context, &master_fd, &out);
593
594 if (ret)
595 krb5_err (context, 1, ret, "krb5_read_priv_message");
596
597 sp = krb5_storage_from_mem (out.data, out.length);
598 krb5_ret_int32 (sp, &tmp);
599 switch (tmp) {
600 case FOR_YOU :
601 receive (context, sp, server_context);
602 ihave (context, auth_context, master_fd,
603 server_context->log_context.version);
604 break;
605 case TELL_YOU_EVERYTHING :
606 receive_everything (context, master_fd, server_context,
607 auth_context);
608 break;
609 case ARE_YOU_THERE :
610 send_im_here (context, master_fd, auth_context);
611 break;
612 case NOW_YOU_HAVE :
613 case I_HAVE :
614 case ONE_PRINC :
615 case I_AM_HERE :
616 default :
617 krb5_warnx (context, "Ignoring command %d", tmp);
618 break;
619 }
620 krb5_storage_free (sp);
621 krb5_data_free (&out);
622 }
623
624 if(exit_flag == SIGXCPU)
625 krb5_warnx(context, "%s CPU time limit exceeded", getprogname());
626 else if(exit_flag == SIGINT || exit_flag == SIGTERM)
627 krb5_warnx(context, "%s terminated", getprogname());
628 else
629 krb5_warnx(context, "%s unexpected exit reason: %ld",
630 getprogname(), (long)exit_flag);
631
632 return 0;
633 }
NetBSD on the FriendlyARM MINI2440