mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-21 08:24:10 +01:00
433 lines
12 KiB
C
433 lines
12 KiB
C
/*
|
|
* Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
|
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* 3. Neither the name of the Institute nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "iprop.h"
|
|
|
|
RCSID("$Id: ipropd_slave.c,v 1.26 2002/08/26 13:29:37 assar Exp $");
|
|
|
|
static krb5_log_facility *log_facility;
|
|
|
|
static int
|
|
connect_to_master (krb5_context context, const char *master)
|
|
{
|
|
int fd;
|
|
struct sockaddr_in addr;
|
|
struct hostent *he;
|
|
|
|
fd = socket (AF_INET, SOCK_STREAM, 0);
|
|
if (fd < 0)
|
|
krb5_err (context, 1, errno, "socket AF_INET");
|
|
memset (&addr, 0, sizeof(addr));
|
|
addr.sin_family = AF_INET;
|
|
addr.sin_port = krb5_getportbyname (context,
|
|
IPROP_SERVICE, "tcp", IPROP_PORT);
|
|
he = roken_gethostbyname (master);
|
|
if (he == NULL)
|
|
krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno));
|
|
memcpy (&addr.sin_addr, he->h_addr, sizeof(addr.sin_addr));
|
|
if(connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
|
|
krb5_err (context, 1, errno, "connect");
|
|
return fd;
|
|
}
|
|
|
|
static void
|
|
get_creds(krb5_context context, const char *keytab_str,
|
|
krb5_ccache *cache, const char *host)
|
|
{
|
|
krb5_keytab keytab;
|
|
krb5_principal client;
|
|
krb5_error_code ret;
|
|
krb5_get_init_creds_opt init_opts;
|
|
krb5_creds creds;
|
|
char *server;
|
|
char keytab_buf[256];
|
|
|
|
if (keytab_str == NULL) {
|
|
ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf));
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "krb5_kt_default_name");
|
|
keytab_str = keytab_buf;
|
|
}
|
|
|
|
ret = krb5_kt_resolve(context, keytab_str, &keytab);
|
|
if(ret)
|
|
krb5_err(context, 1, ret, "%s", keytab_str);
|
|
|
|
ret = krb5_sname_to_principal (context, NULL, IPROP_NAME,
|
|
KRB5_NT_SRV_HST, &client);
|
|
if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal");
|
|
|
|
krb5_get_init_creds_opt_init(&init_opts);
|
|
|
|
asprintf (&server, "%s/%s", IPROP_NAME, host);
|
|
if (server == NULL)
|
|
krb5_errx (context, 1, "malloc: no memory");
|
|
|
|
ret = krb5_get_init_creds_keytab(context, &creds, client, keytab,
|
|
0, server, &init_opts);
|
|
free (server);
|
|
if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
|
|
|
|
ret = krb5_kt_close(context, keytab);
|
|
if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
|
|
|
|
ret = krb5_cc_gen_new(context, &krb5_mcc_ops, cache);
|
|
if(ret) krb5_err(context, 1, ret, "krb5_cc_gen_new");
|
|
|
|
ret = krb5_cc_initialize(context, *cache, client);
|
|
if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize");
|
|
|
|
ret = krb5_cc_store_cred(context, *cache, &creds);
|
|
if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
|
|
}
|
|
|
|
static void
|
|
ihave (krb5_context context, krb5_auth_context auth_context,
|
|
int fd, u_int32_t version)
|
|
{
|
|
int ret;
|
|
u_char buf[8];
|
|
krb5_storage *sp;
|
|
krb5_data data, priv_data;
|
|
|
|
sp = krb5_storage_from_mem (buf, 8);
|
|
krb5_store_int32 (sp, I_HAVE);
|
|
krb5_store_int32 (sp, version);
|
|
krb5_storage_free (sp);
|
|
data.length = 8;
|
|
data.data = buf;
|
|
|
|
ret = krb5_mk_priv (context, auth_context, &data, &priv_data, NULL);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "krb_mk_priv");
|
|
|
|
ret = krb5_write_message (context, &fd, &priv_data);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "krb5_write_message");
|
|
|
|
krb5_data_free (&priv_data);
|
|
}
|
|
|
|
static void
|
|
receive_loop (krb5_context context,
|
|
krb5_storage *sp,
|
|
kadm5_server_context *server_context)
|
|
{
|
|
int ret;
|
|
off_t left, right;
|
|
void *buf;
|
|
int32_t vers;
|
|
|
|
do {
|
|
int32_t len, timestamp, tmp;
|
|
enum kadm_ops op;
|
|
|
|
if(krb5_ret_int32 (sp, &vers) != 0)
|
|
return;
|
|
krb5_ret_int32 (sp, ×tamp);
|
|
krb5_ret_int32 (sp, &tmp);
|
|
op = tmp;
|
|
krb5_ret_int32 (sp, &len);
|
|
if (vers <= server_context->log_context.version)
|
|
krb5_storage_seek(sp, len, SEEK_CUR);
|
|
} while(vers <= server_context->log_context.version);
|
|
|
|
left = krb5_storage_seek (sp, -16, SEEK_CUR);
|
|
right = krb5_storage_seek (sp, 0, SEEK_END);
|
|
buf = malloc (right - left);
|
|
if (buf == NULL && (right - left) != 0) {
|
|
krb5_warnx (context, "malloc: no memory");
|
|
return;
|
|
}
|
|
krb5_storage_seek (sp, left, SEEK_SET);
|
|
krb5_storage_read (sp, buf, right - left);
|
|
write (server_context->log_context.log_fd, buf, right-left);
|
|
fsync (server_context->log_context.log_fd);
|
|
free (buf);
|
|
|
|
krb5_storage_seek (sp, left, SEEK_SET);
|
|
|
|
for(;;) {
|
|
int32_t len, timestamp, tmp;
|
|
enum kadm_ops op;
|
|
|
|
if(krb5_ret_int32 (sp, &vers) != 0)
|
|
break;
|
|
krb5_ret_int32 (sp, ×tamp);
|
|
krb5_ret_int32 (sp, &tmp);
|
|
op = tmp;
|
|
krb5_ret_int32 (sp, &len);
|
|
|
|
ret = kadm5_log_replay (server_context,
|
|
op, vers, len, sp);
|
|
if (ret)
|
|
krb5_warn (context, ret, "kadm5_log_replay");
|
|
else
|
|
server_context->log_context.version = vers;
|
|
krb5_storage_seek (sp, 8, SEEK_CUR);
|
|
}
|
|
}
|
|
|
|
static void
|
|
receive (krb5_context context,
|
|
krb5_storage *sp,
|
|
kadm5_server_context *server_context)
|
|
{
|
|
int ret;
|
|
|
|
ret = server_context->db->open(context,
|
|
server_context->db,
|
|
O_RDWR | O_CREAT, 0600);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "db->open");
|
|
|
|
receive_loop (context, sp, server_context);
|
|
|
|
ret = server_context->db->close (context, server_context->db);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "db->close");
|
|
}
|
|
|
|
static void
|
|
receive_everything (krb5_context context, int fd,
|
|
kadm5_server_context *server_context,
|
|
krb5_auth_context auth_context)
|
|
{
|
|
int ret;
|
|
krb5_data data;
|
|
int32_t vno;
|
|
int32_t opcode;
|
|
unsigned long tmp;
|
|
|
|
ret = server_context->db->open(context,
|
|
server_context->db,
|
|
O_RDWR | O_CREAT | O_TRUNC, 0600);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "db->open");
|
|
|
|
do {
|
|
krb5_storage *sp;
|
|
|
|
ret = krb5_read_priv_message(context, auth_context, &fd, &data);
|
|
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "krb5_read_priv_message");
|
|
|
|
sp = krb5_storage_from_data (&data);
|
|
krb5_ret_int32 (sp, &opcode);
|
|
if (opcode == ONE_PRINC) {
|
|
krb5_data fake_data;
|
|
hdb_entry entry;
|
|
|
|
fake_data.data = (char *)data.data + 4;
|
|
fake_data.length = data.length - 4;
|
|
|
|
ret = hdb_value2entry (context, &fake_data, &entry);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "hdb_value2entry");
|
|
ret = server_context->db->store(server_context->context,
|
|
server_context->db,
|
|
0, &entry);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "hdb_store");
|
|
|
|
hdb_free_entry (context, &entry);
|
|
krb5_data_free (&data);
|
|
}
|
|
} while (opcode == ONE_PRINC);
|
|
|
|
if (opcode != NOW_YOU_HAVE)
|
|
krb5_errx (context, 1, "receive_everything: strange %d", opcode);
|
|
|
|
_krb5_get_int ((char *)data.data + 4, &tmp, 4);
|
|
vno = tmp;
|
|
|
|
ret = kadm5_log_reinit (server_context);
|
|
if (ret)
|
|
krb5_err(context, 1, ret, "kadm5_log_reinit");
|
|
|
|
ret = kadm5_log_set_version (server_context, vno - 1);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "kadm5_log_set_version");
|
|
|
|
ret = kadm5_log_nop (server_context);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "kadm5_log_nop");
|
|
|
|
krb5_data_free (&data);
|
|
|
|
ret = server_context->db->close (context, server_context->db);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "db->close");
|
|
}
|
|
|
|
static char *realm;
|
|
static int version_flag;
|
|
static int help_flag;
|
|
static char *keytab_str;
|
|
|
|
static struct getargs args[] = {
|
|
{ "realm", 'r', arg_string, &realm },
|
|
{ "keytab", 'k', arg_string, &keytab_str,
|
|
"keytab to get authentication from", "kspec" },
|
|
{ "version", 0, arg_flag, &version_flag },
|
|
{ "help", 0, arg_flag, &help_flag }
|
|
};
|
|
|
|
static int num_args = sizeof(args) / sizeof(args[0]);
|
|
|
|
static void
|
|
usage (int code, struct getargs *args, int num_args)
|
|
{
|
|
arg_printusage (args, num_args, NULL, "master");
|
|
exit (code);
|
|
}
|
|
|
|
int
|
|
main(int argc, char **argv)
|
|
{
|
|
krb5_error_code ret;
|
|
krb5_context context;
|
|
krb5_auth_context auth_context;
|
|
void *kadm_handle;
|
|
kadm5_server_context *server_context;
|
|
kadm5_config_params conf;
|
|
int master_fd;
|
|
krb5_ccache ccache;
|
|
krb5_principal server;
|
|
|
|
int optind;
|
|
const char *master;
|
|
|
|
optind = krb5_program_setup(&context, argc, argv, args, num_args, usage);
|
|
|
|
if(help_flag)
|
|
usage (0, args, num_args);
|
|
if(version_flag) {
|
|
print_version(NULL);
|
|
exit(0);
|
|
}
|
|
|
|
argc -= optind;
|
|
argv += optind;
|
|
|
|
if (argc != 1)
|
|
usage (1, args, num_args);
|
|
|
|
master = argv[0];
|
|
|
|
pidfile (NULL);
|
|
krb5_openlog (context, "ipropd-slave", &log_facility);
|
|
krb5_set_warn_dest(context, log_facility);
|
|
|
|
ret = krb5_kt_register(context, &hdb_kt_ops);
|
|
if(ret)
|
|
krb5_err(context, 1, ret, "krb5_kt_register");
|
|
|
|
memset(&conf, 0, sizeof(conf));
|
|
if(realm) {
|
|
conf.mask |= KADM5_CONFIG_REALM;
|
|
conf.realm = realm;
|
|
}
|
|
ret = kadm5_init_with_password_ctx (context,
|
|
KADM5_ADMIN_SERVICE,
|
|
NULL,
|
|
KADM5_ADMIN_SERVICE,
|
|
&conf, 0, 0,
|
|
&kadm_handle);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
|
|
|
|
server_context = (kadm5_server_context *)kadm_handle;
|
|
|
|
ret = kadm5_log_init (server_context);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "kadm5_log_init");
|
|
|
|
get_creds(context, keytab_str, &ccache, master);
|
|
|
|
master_fd = connect_to_master (context, master);
|
|
|
|
ret = krb5_sname_to_principal (context, master, IPROP_NAME,
|
|
KRB5_NT_SRV_HST, &server);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "krb5_sname_to_principal");
|
|
|
|
auth_context = NULL;
|
|
ret = krb5_sendauth (context, &auth_context, &master_fd,
|
|
IPROP_VERSION, NULL, server,
|
|
AP_OPTS_MUTUAL_REQUIRED, NULL, NULL,
|
|
ccache, NULL, NULL, NULL);
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "krb5_sendauth");
|
|
|
|
ihave (context, auth_context, master_fd,
|
|
server_context->log_context.version);
|
|
|
|
for (;;) {
|
|
int ret;
|
|
krb5_data out;
|
|
krb5_storage *sp;
|
|
int32_t tmp;
|
|
|
|
ret = krb5_read_priv_message(context, auth_context, &master_fd, &out);
|
|
|
|
if (ret)
|
|
krb5_err (context, 1, ret, "krb5_read_priv_message");
|
|
|
|
sp = krb5_storage_from_mem (out.data, out.length);
|
|
krb5_ret_int32 (sp, &tmp);
|
|
switch (tmp) {
|
|
case FOR_YOU :
|
|
receive (context, sp, server_context);
|
|
ihave (context, auth_context, master_fd,
|
|
server_context->log_context.version);
|
|
break;
|
|
case TELL_YOU_EVERYTHING :
|
|
receive_everything (context, master_fd, server_context,
|
|
auth_context);
|
|
break;
|
|
case NOW_YOU_HAVE :
|
|
case I_HAVE :
|
|
case ONE_PRINC :
|
|
default :
|
|
krb5_warnx (context, "Ignoring command %d", tmp);
|
|
break;
|
|
}
|
|
krb5_storage_free (sp);
|
|
krb5_data_free (&out);
|
|
}
|
|
|
|
return 0;
|
|
}
|