static krb5_error_code ihave(krb5_context context, krb5_auth_context auth_context, int fd, uint32_t version) { int ret; u_char buf[8]; krb5_storage *sp; krb5_data data; sp = krb5_storage_from_mem(buf, 8); ret = krb5_store_uint32(sp, I_HAVE); if (ret == 0) ret = krb5_store_uint32(sp, version); krb5_storage_free(sp); data.length = 8; data.data = buf; if (ret == 0) { if (verbose) krb5_warnx(context, "telling master we are at %u", version); ret = krb5_write_priv_message(context, auth_context, &fd, &data); if (ret) krb5_warn(context, ret, "krb5_write_message"); } return ret; }
static int prop_one (krb5_context context, HDB *db, hdb_entry *entry, void *v) { krb5_error_code ret; krb5_storage *sp; krb5_data data; struct slave *slave = (struct slave *)v; ret = hdb_entry2value (context, entry, &data); if (ret) return ret; ret = krb5_data_realloc (&data, data.length + 4); if (ret) { krb5_data_free (&data); return ret; } memmove ((char *)data.data + 4, data.data, data.length - 4); sp = krb5_storage_from_data(&data); if (sp == NULL) { krb5_data_free (&data); return ENOMEM; } krb5_store_int32(sp, ONE_PRINC); krb5_storage_free(sp); ret = krb5_write_priv_message (context, slave->ac, &slave->fd, &data); krb5_data_free (&data); return ret; }
static int send_are_you_there (krb5_context context, slave *s) { krb5_storage *sp; krb5_data data; char buf[4]; int ret; if (s->flags & (SLAVE_F_DEAD|SLAVE_F_AYT)) return 0; s->flags |= SLAVE_F_AYT; data.data = buf; data.length = 4; sp = krb5_storage_from_mem (buf, 4); if (sp == NULL) { krb5_warnx (context, "are_you_there: krb5_data_alloc"); slave_dead(s); return 1; } krb5_store_int32 (sp, ARE_YOU_THERE); krb5_storage_free (sp); ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); if (ret) { krb5_warn (context, ret, "are_you_there: krb5_write_priv_message"); slave_dead(s); return 1; } return 0; }
static void send_im_here(krb5_context context, int fd, krb5_auth_context auth_context) { krb5_storage *sp; krb5_data data; krb5_error_code ret; ret = krb5_data_alloc(&data, 4); if (ret) krb5_err(context, IPROPD_RESTART, ret, "send_im_here"); sp = krb5_storage_from_data (&data); if (sp == NULL) krb5_errx(context, IPROPD_RESTART, "krb5_storage_from_data"); ret = krb5_store_uint32(sp, I_AM_HERE); krb5_storage_free(sp); if (ret == 0) { ret = krb5_write_priv_message(context, auth_context, &fd, &data); krb5_data_free(&data); if (ret) krb5_err(context, IPROPD_RESTART, ret, "krb5_write_priv_message"); if (verbose) krb5_warnx(context, "pinged master"); } return; }
static void v5_loop (krb5_context context, krb5_auth_context ac, krb5_boolean initial, void *kadm_handle, krb5_socket_t fd) { krb5_error_code ret; krb5_data in, out; for (;;) { doing_useful_work = 0; if(term_flag) exit(0); ret = krb5_read_priv_message(context, ac, &fd, &in); if(ret == HEIM_ERR_EOF) exit(0); if(ret) krb5_err(context, 1, ret, "krb5_read_priv_message"); doing_useful_work = 1; kadmind_dispatch(kadm_handle, initial, &in, &out); krb5_data_free(&in); ret = krb5_write_priv_message(context, ac, &fd, &out); if(ret) krb5_err(context, 1, ret, "krb5_write_priv_message"); } }
krb5_error_code v5_prop(krb5_context context, HDB *db, hdb_entry_ex *entry, void *appdata) { krb5_error_code ret; struct prop_data *pd = appdata; krb5_data data; if(encrypt_flag) { ret = hdb_seal_keys_mkey(context, &entry->entry, mkey5); if (ret) { krb5_warn(context, ret, "hdb_seal_keys_mkey"); return ret; } } if(decrypt_flag) { ret = hdb_unseal_keys_mkey(context, &entry->entry, mkey5); if (ret) { krb5_warn(context, ret, "hdb_unseal_keys_mkey"); return ret; } } ret = hdb_entry2value(context, &entry->entry, &data); if(ret) { krb5_warn(context, ret, "hdb_entry2value"); return ret; } if(to_stdout) ret = krb5_write_message(context, &pd->sock, &data); else ret = krb5_write_priv_message(context, pd->auth_context, &pd->sock, &data); krb5_data_free(&data); return ret; }
static void send_im_here (krb5_context context, int fd, krb5_auth_context auth_context) { krb5_storage *sp; krb5_data data; int ret; ret = krb5_data_alloc (&data, 4); if (ret) krb5_err (context, 1, ret, "send_im_here"); sp = krb5_storage_from_data (&data); if (sp == NULL) krb5_errx (context, 1, "krb5_storage_from_data"); krb5_store_int32(sp, I_AM_HERE); krb5_storage_free(sp); ret = krb5_write_priv_message(context, auth_context, &fd, &data); krb5_data_free(&data); if (ret) krb5_err (context, 1, ret, "krb5_write_priv_message"); }
static int send_diffs (krb5_context context, slave *s, int log_fd, const char *database, u_int32_t current_version) { krb5_storage *sp; u_int32_t ver; time_t timestamp; enum kadm_ops op; u_int32_t len; off_t right, left; krb5_data data; int ret = 0; if (s->version == current_version) return 0; if (s->flags & SLAVE_F_DEAD) return 0; sp = kadm5_log_goto_end (log_fd); right = krb5_storage_seek(sp, 0, SEEK_CUR); for (;;) { if (kadm5_log_previous (sp, &ver, ×tamp, &op, &len)) abort (); left = krb5_storage_seek(sp, -16, SEEK_CUR); if (ver == s->version) return 0; if (ver == s->version + 1) break; if (left == 0) return send_complete (context, s, database, current_version); } ret = krb5_data_alloc (&data, right - left + 4); if (ret) { krb5_warn (context, ret, "send_diffs: krb5_data_alloc"); slave_dead(s); return 1; } krb5_storage_read (sp, (char *)data.data + 4, data.length - 4); krb5_storage_free(sp); sp = krb5_storage_from_data (&data); if (sp == NULL) { krb5_warnx (context, "send_diffs: krb5_storage_from_data"); slave_dead(s); return 1; } krb5_store_int32 (sp, FOR_YOU); krb5_storage_free(sp); ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); krb5_data_free(&data); if (ret) { krb5_warn (context, ret, "send_diffs: krb5_write_priv_message"); slave_dead(s); return 1; } slave_seen(s); return 0; }
static int send_complete (krb5_context context, slave *s, const char *database, u_int32_t current_version) { krb5_error_code ret; krb5_storage *sp; HDB *db; krb5_data data; char buf[8]; ret = hdb_create (context, &db, database); if (ret) krb5_err (context, 1, ret, "hdb_create: %s", database); ret = db->hdb_open (context, db, O_RDONLY, 0); if (ret) krb5_err (context, 1, ret, "db->open"); sp = krb5_storage_from_mem (buf, 4); if (sp == NULL) krb5_errx (context, 1, "krb5_storage_from_mem"); krb5_store_int32 (sp, TELL_YOU_EVERYTHING); krb5_storage_free (sp); data.data = buf; data.length = 4; ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); if (ret) { krb5_warn (context, ret, "krb5_write_priv_message"); slave_dead(s); return ret; } ret = hdb_foreach (context, db, 0, prop_one, s); if (ret) { krb5_warn (context, ret, "hdb_foreach"); slave_dead(s); return ret; } (*db->hdb_close)(context, db); (*db->hdb_destroy)(context, db); sp = krb5_storage_from_mem (buf, 8); if (sp == NULL) krb5_errx (context, 1, "krb5_storage_from_mem"); krb5_store_int32 (sp, NOW_YOU_HAVE); krb5_store_int32 (sp, current_version); krb5_storage_free (sp); data.length = 8; s->version = current_version; ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); if (ret) { slave_dead(s); krb5_warn (context, ret, "krb5_write_priv_message"); return ret; } slave_seen(s); return 0; }
static int proto (int sock, const char *svc) { krb5_auth_context auth_context; krb5_error_code status; krb5_principal server; krb5_ticket *ticket; char *name; char ret_string[10]; char hostname[MAXHOSTNAMELEN]; krb5_data data; krb5_data remotename; krb5_data tk_file; krb5_ccache ccache; char ccname[MAXPATHLEN]; struct passwd *pwd; status = krb5_auth_con_init (context, &auth_context); if (status) krb5_err(context, 1, status, "krb5_auth_con_init"); status = krb5_auth_con_setaddrs_from_fd (context, auth_context, &sock); if (status) krb5_err(context, 1, status, "krb5_auth_con_setaddr"); if(gethostname (hostname, sizeof(hostname)) < 0) krb5_err(context, 1, errno, "gethostname"); status = krb5_sname_to_principal (context, hostname, svc, KRB5_NT_SRV_HST, &server); if (status) krb5_err(context, 1, status, "krb5_sname_to_principal"); status = krb5_recvauth_match_version (context, &auth_context, &sock, kfd_match_version, NULL, server, 0, NULL, &ticket); if (status) krb5_err(context, 1, status, "krb5_recvauth"); status = krb5_unparse_name (context, ticket->client, &name); if (status) krb5_err(context, 1, status, "krb5_unparse_name"); if(protocol_version == 0) { data.data = "old clnt"; /* XXX old clients only had room for 10 bytes of message, and also didn't show it to the user */ data.length = strlen(data.data) + 1; krb5_write_message(context, &sock, &data); sleep(2); /* XXX give client time to finish */ krb5_errx(context, 1, "old client; exiting"); } status=krb5_read_priv_message (context, auth_context, &sock, &remotename); if (status) krb5_err(context, 1, status, "krb5_read_message"); status=krb5_read_priv_message (context, auth_context, &sock, &tk_file); if (status) krb5_err(context, 1, status, "krb5_read_message"); krb5_data_zero (&data); if(((char*)remotename.data)[remotename.length-1] != '\0') krb5_errx(context, 1, "unterminated received"); if(((char*)tk_file.data)[tk_file.length-1] != '\0') krb5_errx(context, 1, "unterminated received"); status = krb5_read_priv_message(context, auth_context, &sock, &data); if (status) { krb5_err(context, 1, errno, "krb5_read_priv_message"); goto out; } pwd = getpwnam ((char *)(remotename.data)); if (pwd == NULL) { status=1; krb5_warnx(context, "getpwnam: %s failed",(char *)(remotename.data)); goto out; } if(!krb5_kuserok (context, ticket->client, (char *)(remotename.data))) { status=1; krb5_warnx(context, "krb5_kuserok: permission denied"); goto out; } if (setgid(pwd->pw_gid) < 0) { krb5_warn(context, errno, "setgid"); goto out; } if (setuid(pwd->pw_uid) < 0) { krb5_warn(context, errno, "setuid"); goto out; } if (tk_file.length != 1) snprintf (ccname, sizeof(ccname), "%s", (char *)(tk_file.data)); else snprintf (ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%lu", (unsigned long)pwd->pw_uid); status = krb5_cc_resolve (context, ccname, &ccache); if (status) { krb5_warn(context, status, "krb5_cc_resolve"); goto out; } status = krb5_cc_initialize (context, ccache, ticket->client); if (status) { krb5_warn(context, status, "krb5_cc_initialize"); goto out; } status = krb5_rd_cred2 (context, auth_context, ccache, &data); krb5_cc_close (context, ccache); if (status) { krb5_warn(context, status, "krb5_rd_cred"); goto out; } strlcpy(krb5_tkfile,ccname,sizeof(krb5_tkfile)); krb5_warnx(context, "%s forwarded ticket to %s,%s", name, (char *)(remotename.data),ccname); out: if (status) { strlcpy(ret_string, "no", sizeof(ret_string)); krb5_warnx(context, "failed"); } else { strlcpy(ret_string, "ok", sizeof(ret_string)); } krb5_data_free (&tk_file); krb5_data_free (&remotename); krb5_data_free (&data); free(name); data.data = ret_string; data.length = strlen(ret_string) + 1; status = krb5_write_priv_message(context, auth_context, &sock, &data); krb5_auth_con_free(context, auth_context); return status; }
int main(int argc, char **argv) { krb5_error_code ret; krb5_context context; krb5_auth_context ac = NULL; krb5_principal c1, c2; krb5_authenticator authent; krb5_keytab keytab; krb5_socket_t sock = rk_INVALID_SOCKET; HDB *db = NULL; int optidx = 0; char *tmp_db; krb5_log_facility *fac; int nprincs; setprogname(argv[0]); ret = krb5_init_context(&context); if(ret) exit(1); ret = krb5_openlog(context, "hpropd", &fac); if(ret) errx(1, "krb5_openlog"); krb5_set_warn_dest(context, fac); if(getarg(args, num_args, argc, argv, &optidx)) usage(1); if(local_realm != NULL) krb5_set_default_realm(context, local_realm); if(help_flag) usage(0); if(version_flag) { print_version(NULL); exit(0); } argc -= optidx; argv += optidx; if (argc != 0) usage(1); if (database == NULL) database = hdb_default_db(context); if(from_stdin) { sock = STDIN_FILENO; } else { struct sockaddr_storage ss; struct sockaddr *sa = (struct sockaddr *)&ss; socklen_t sin_len = sizeof(ss); char addr_name[256]; krb5_ticket *ticket; char *server; sock = STDIN_FILENO; #ifdef SUPPORT_INETD if (inetd_flag == -1) { if (getpeername (sock, sa, &sin_len) < 0) { inetd_flag = 0; } else { inetd_flag = 1; } } #else inetd_flag = 0; #endif if (!inetd_flag) { mini_inetd (krb5_getportbyname (context, "hprop", "tcp", HPROP_PORT), &sock); } sin_len = sizeof(ss); if(getpeername(sock, sa, &sin_len) < 0) krb5_err(context, 1, errno, "getpeername"); if (inet_ntop(sa->sa_family, socket_get_address (sa), addr_name, sizeof(addr_name)) == NULL) strlcpy (addr_name, "unknown address", sizeof(addr_name)); krb5_log(context, fac, 0, "Connection from %s", addr_name); ret = krb5_kt_register(context, &hdb_kt_ops); if(ret) krb5_err(context, 1, ret, "krb5_kt_register"); if (ktname != NULL) { ret = krb5_kt_resolve(context, ktname, &keytab); if (ret) krb5_err (context, 1, ret, "krb5_kt_resolve %s", ktname); } else { ret = krb5_kt_default (context, &keytab); if (ret) krb5_err (context, 1, ret, "krb5_kt_default"); } ret = krb5_recvauth(context, &ac, &sock, HPROP_VERSION, NULL, 0, keytab, &ticket); if(ret) krb5_err(context, 1, ret, "krb5_recvauth"); ret = krb5_unparse_name(context, ticket->server, &server); if (ret) krb5_err(context, 1, ret, "krb5_unparse_name"); if (strncmp(server, "hprop/", 5) != 0) krb5_errx(context, 1, "ticket not for hprop (%s)", server); free(server); krb5_free_ticket (context, ticket); ret = krb5_auth_con_getauthenticator(context, ac, &authent); if(ret) krb5_err(context, 1, ret, "krb5_auth_con_getauthenticator"); ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL); if(ret) krb5_err(context, 1, ret, "krb5_make_principal"); _krb5_principalname2krb5_principal(context, &c2, authent->cname, authent->crealm); if(!krb5_principal_compare(context, c1, c2)) { char *s; ret = krb5_unparse_name(context, c2, &s); if (ret) s = unparseable_name; krb5_errx(context, 1, "Unauthorized connection from %s", s); } krb5_free_principal(context, c1); krb5_free_principal(context, c2); ret = krb5_kt_close(context, keytab); if(ret) krb5_err(context, 1, ret, "krb5_kt_close"); } if(!print_dump) { asprintf(&tmp_db, "%s~", database); ret = hdb_create(context, &db, tmp_db); if(ret) krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db); ret = db->hdb_open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600); if(ret) krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db); } nprincs = 0; while(1){ krb5_data data; hdb_entry_ex entry; if(from_stdin) { ret = krb5_read_message(context, &sock, &data); if(ret != 0 && ret != HEIM_ERR_EOF) krb5_err(context, 1, ret, "krb5_read_message"); } else { ret = krb5_read_priv_message(context, ac, &sock, &data); if(ret) krb5_err(context, 1, ret, "krb5_read_priv_message"); } if(ret == HEIM_ERR_EOF || data.length == 0) { if(!from_stdin) { data.data = NULL; data.length = 0; krb5_write_priv_message(context, ac, &sock, &data); } if(!print_dump) { ret = db->hdb_close(context, db); if(ret) krb5_err(context, 1, ret, "db_close"); ret = db->hdb_rename(context, db, database); if(ret) krb5_err(context, 1, ret, "db_rename"); } break; } memset(&entry, 0, sizeof(entry)); ret = hdb_value2entry(context, &data, &entry.entry); krb5_data_free(&data); if(ret) krb5_err(context, 1, ret, "hdb_value2entry"); if(print_dump) hdb_print_entry(context, db, &entry, stdout); else { ret = db->hdb_store(context, db, 0, &entry); if(ret == HDB_ERR_EXISTS) { char *s; ret = krb5_unparse_name(context, entry.entry.principal, &s); if (ret) s = strdup(unparseable_name); krb5_warnx(context, "Entry exists: %s", s); free(s); } else if(ret) krb5_err(context, 1, ret, "db_store"); else nprincs++; } hdb_free_entry(context, &entry); } if (!print_dump) krb5_log(context, fac, 0, "Received %d principals", nprincs); if (inetd_flag == 0) rk_closesocket(sock); exit(0); }
static int send_diffs (krb5_context context, slave *s, int log_fd, const char *database, uint32_t current_version) { krb5_storage *sp; uint32_t ver; time_t timestamp; enum kadm_ops op; uint32_t len; off_t right, left; krb5_data data; int ret = 0; if (s->version == current_version) { krb5_warnx(context, "slave %s in sync already at version %ld", s->name, (long)s->version); return 0; } if (s->flags & SLAVE_F_DEAD) return 0; /* if slave is a fresh client, starting over */ if (s->version == 0) { krb5_warnx(context, "sending complete log to fresh slave %s", s->name); return send_complete (context, s, database, current_version); } sp = kadm5_log_goto_end (log_fd); right = krb5_storage_seek(sp, 0, SEEK_CUR); for (;;) { ret = kadm5_log_previous (context, sp, &ver, ×tamp, &op, &len); if (ret) krb5_err(context, 1, ret, "send_diffs: failed to find previous entry"); left = krb5_storage_seek(sp, -16, SEEK_CUR); if (ver == s->version) return 0; if (ver == s->version + 1) break; if (left == 0) { krb5_storage_free(sp); krb5_warnx(context, "slave %s (version %lu) out of sync with master " "(first version in log %lu), sending complete database", s->name, (unsigned long)s->version, (unsigned long)ver); return send_complete (context, s, database, current_version); } } krb5_warnx(context, "syncing slave %s from version %lu to version %lu", s->name, (unsigned long)s->version, (unsigned long)current_version); ret = krb5_data_alloc (&data, right - left + 4); if (ret) { krb5_storage_free(sp); krb5_warn (context, ret, "send_diffs: krb5_data_alloc"); slave_dead(context, s); return 1; } krb5_storage_read (sp, (char *)data.data + 4, data.length - 4); krb5_storage_free(sp); sp = krb5_storage_from_data (&data); if (sp == NULL) { krb5_warnx (context, "send_diffs: krb5_storage_from_data"); slave_dead(context, s); return 1; } krb5_store_int32 (sp, FOR_YOU); krb5_storage_free(sp); ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); krb5_data_free(&data); if (ret) { krb5_warn (context, ret, "send_diffs: krb5_write_priv_message"); slave_dead(context, s); return 1; } slave_seen(s); s->version = current_version; return 0; }
static kadm5_ret_t kadm_connect(kadm5_client_context *ctx) { kadm5_ret_t ret; krb5_principal server; krb5_ccache cc; rk_socket_t s = rk_INVALID_SOCKET; struct addrinfo *ai, *a; struct addrinfo hints; int error; char portstr[NI_MAXSERV]; char *hostname, *slash; char *service_name; krb5_context context = ctx->context; memset (&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; snprintf (portstr, sizeof(portstr), "%u", ntohs(ctx->kadmind_port)); hostname = ctx->admin_server; slash = strchr (hostname, '/'); if (slash != NULL) hostname = slash + 1; error = getaddrinfo (hostname, portstr, &hints, &ai); if (error) { krb5_clear_error_message(context); return KADM5_BAD_SERVER_NAME; } for (a = ai; a != NULL; a = a->ai_next) { s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); if (s < 0) continue; if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { krb5_clear_error_message(context); krb5_warn (context, errno, "connect(%s)", hostname); rk_closesocket (s); continue; } break; } if (a == NULL) { freeaddrinfo (ai); krb5_clear_error_message(context); krb5_warnx (context, "failed to contact %s", hostname); return KADM5_FAILURE; } ret = _kadm5_c_get_cred_cache(context, ctx->client_name, ctx->service_name, NULL, ctx->prompter, ctx->keytab, ctx->ccache, &cc); if(ret) { freeaddrinfo (ai); rk_closesocket(s); return ret; } if (ctx->realm) asprintf(&service_name, "%s@%s", KADM5_ADMIN_SERVICE, ctx->realm); else asprintf(&service_name, "%s", KADM5_ADMIN_SERVICE); if (service_name == NULL) { freeaddrinfo (ai); rk_closesocket(s); krb5_clear_error_message(context); return ENOMEM; } ret = krb5_parse_name(context, service_name, &server); free(service_name); if(ret) { freeaddrinfo (ai); if(ctx->ccache == NULL) krb5_cc_close(context, cc); rk_closesocket(s); return ret; } ctx->ac = NULL; ret = krb5_sendauth(context, &ctx->ac, &s, KADMIN_APPL_VERSION, NULL, server, AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, cc, NULL, NULL, NULL); if(ret == 0) { krb5_data params; kadm5_config_params p; memset(&p, 0, sizeof(p)); if(ctx->realm) { p.mask |= KADM5_CONFIG_REALM; p.realm = ctx->realm; } ret = _kadm5_marshal_params(context, &p, ¶ms); ret = krb5_write_priv_message(context, ctx->ac, &s, ¶ms); krb5_data_free(¶ms); if(ret) { freeaddrinfo (ai); rk_closesocket(s); if(ctx->ccache == NULL) krb5_cc_close(context, cc); return ret; } } else if(ret == KRB5_SENDAUTH_BADAPPLVERS) { rk_closesocket(s); s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); if (s < 0) { freeaddrinfo (ai); krb5_clear_error_message(context); return errno; } if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { rk_closesocket (s); freeaddrinfo (ai); krb5_clear_error_message(context); return errno; } ret = krb5_sendauth(context, &ctx->ac, &s, KADMIN_OLD_APPL_VERSION, NULL, server, AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, cc, NULL, NULL, NULL); } freeaddrinfo (ai); if(ret) { rk_closesocket(s); return ret; } krb5_free_principal(context, server); if(ctx->ccache == NULL) krb5_cc_close(context, cc); ctx->sock = s; return 0; }
static int send_diffs (kadm5_server_context *server_context, slave *s, int log_fd, const char *database, uint32_t current_version, uint32_t current_tstamp) { krb5_context context = server_context->context; krb5_storage *sp; uint32_t ver, initial_version, initial_version2; uint32_t initial_tstamp, initial_tstamp2; enum kadm_ops op; uint32_t len; off_t right, left; krb5_ssize_t bytes; krb5_data data; int ret = 0; if (s->flags & SLAVE_F_DEAD) { krb5_warnx(context, "not sending diffs to dead slave %s", s->name); return 0; } if (s->version == current_version) { char buf[4]; sp = krb5_storage_from_mem(buf, 4); if (sp == NULL) krb5_errx(context, IPROPD_RESTART, "krb5_storage_from_mem"); ret = krb5_store_uint32(sp, YOU_HAVE_LAST_VERSION); krb5_storage_free(sp); data.data = buf; data.length = 4; if (ret == 0) { ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); if (ret) { krb5_warn(context, ret, "send_diffs: failed to send to slave"); slave_dead(context, s); } krb5_warnx(context, "slave %s in sync already at version %ld", s->name, (long)s->version); } return ret; } if (verbose) krb5_warnx(context, "sending diffs to live-seeming slave %s", s->name); /* * XXX The code that makes the diffs should be made a separate function, * then error handling (send_are_you_there() or slave_dead()) can be done * here. */ if (flock(log_fd, LOCK_SH) == -1) { krb5_warn(context, errno, "could not obtain shared lock on log file"); send_are_you_there(context, s); return errno; } ret = kadm5_log_get_version_fd(server_context, log_fd, LOG_VERSION_FIRST, &initial_version, &initial_tstamp); sp = kadm5_log_goto_end(server_context, log_fd); flock(log_fd, LOCK_UN); if (ret) { if (sp != NULL) krb5_storage_free(sp); krb5_warn(context, ret, "send_diffs: failed to read log"); send_are_you_there(context, s); return ret; } if (sp == NULL) { send_are_you_there(context, s); krb5_warn(context, errno ? errno : EINVAL, "send_diffs: failed to read log"); return errno ? errno : EINVAL; } /* * We're not holding any locks here, so we can't prevent truncations. * * We protect against this by re-checking that the initial version and * timestamp are the same before and after this loop. */ right = krb5_storage_seek(sp, 0, SEEK_CUR); if (right == (off_t)-1) { krb5_storage_free(sp); send_are_you_there(context, s); return errno; } for (;;) { ret = kadm5_log_previous (context, sp, &ver, NULL, &op, &len); if (ret) krb5_err(context, IPROPD_RESTART, ret, "send_diffs: failed to find previous entry"); left = krb5_storage_seek(sp, -16, SEEK_CUR); if (left == (off_t)-1) { krb5_storage_free(sp); send_are_you_there(context, s); return errno; } if (ver == s->version + 1) break; /* * We don't expect to reach the slave's version, except when it is * starting empty with the uber record. */ if (ver == s->version && !(ver == 0 && op == kadm_nop)) { /* * This shouldn't happen, but recall we're not holding a lock on * the log. */ krb5_storage_free(sp); krb5_warnx(context, "iprop log truncated while sending diffs to " "slave?? ver = %lu", (unsigned long)ver); send_are_you_there(context, s); return 0; } /* If we've reached the uber record, send the complete database */ if (left == 0 || (ver == 0 && op == kadm_nop)) { krb5_storage_free(sp); krb5_warnx(context, "slave %s (version %lu) out of sync with master " "(first version in log %lu), sending complete database", s->name, (unsigned long)s->version, (unsigned long)ver); return send_complete (context, s, database, current_version, ver, initial_tstamp); } } assert(ver == s->version + 1); krb5_warnx(context, "syncing slave %s from version %lu to version %lu", s->name, (unsigned long)s->version, (unsigned long)current_version); ret = krb5_data_alloc (&data, right - left + 4); if (ret) { krb5_storage_free(sp); krb5_warn (context, ret, "send_diffs: krb5_data_alloc"); send_are_you_there(context, s); return 1; } bytes = krb5_storage_read(sp, (char *)data.data + 4, data.length - 4); krb5_storage_free(sp); if (bytes != data.length - 4) { krb5_warnx(context, "iprop log truncated while sending diffs to " "slave?? ver = %lu", (unsigned long)ver); send_are_you_there(context, s); return 1; } /* * Check that we have the same log initial version and timestamp now as * when we dropped the shared lock on the log file! Else we could be * sending garbage to the slave. */ if (flock(log_fd, LOCK_SH) == -1) { krb5_warn(context, errno, "could not obtain shared lock on log file"); send_are_you_there(context, s); return 1; } ret = kadm5_log_get_version_fd(server_context, log_fd, LOG_VERSION_FIRST, &initial_version2, &initial_tstamp2); flock(log_fd, LOCK_UN); if (ret) { krb5_warn(context, ret, "send_diffs: failed to read log while producing diffs"); send_are_you_there(context, s); return 1; } if (initial_version != initial_version2 || initial_tstamp != initial_tstamp2) { krb5_warn(context, ret, "send_diffs: log truncated while producing diffs"); send_are_you_there(context, s); return 1; } sp = krb5_storage_from_data (&data); if (sp == NULL) { krb5_warnx (context, "send_diffs: krb5_storage_from_data"); send_are_you_there(context, s); return 1; } krb5_store_uint32 (sp, FOR_YOU); krb5_storage_free(sp); ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); krb5_data_free(&data); if (ret) { krb5_warn (context, ret, "send_diffs: krb5_write_priv_message"); slave_dead(context, s); return 1; } slave_seen(s); s->version = current_version; krb5_warnx(context, "slave %s is now up to date (%u)", s->name, s->version); return 0; }
static int send_complete (krb5_context context, slave *s, const char *database, uint32_t current_version, uint32_t oldest_version, uint32_t initial_log_tstamp) { krb5_error_code ret; krb5_storage *dump = NULL; uint32_t vno = 0; krb5_data data; int fd = -1; struct stat st; char *dfn; ret = asprintf(&dfn, "%s/ipropd.dumpfile", hdb_db_dir(context)); if (ret == -1 || !dfn) { krb5_warn(context, ENOMEM, "Cannot allocate memory"); return ENOMEM; } fd = open(dfn, O_CREAT|O_RDWR, 0600); if (fd == -1) { ret = errno; krb5_warn(context, ret, "Cannot open/create iprop dumpfile %s", dfn); free(dfn); return ret; } free(dfn); dump = krb5_storage_from_fd(fd); if (!dump) { ret = errno; krb5_warn(context, ret, "krb5_storage_from_fd"); goto done; } for (;;) { ret = flock(fd, LOCK_SH); if (ret == -1) { ret = errno; krb5_warn(context, ret, "flock(fd, LOCK_SH)"); goto done; } if (krb5_storage_seek(dump, 0, SEEK_SET) == (off_t)-1) { ret = errno; krb5_warn(context, ret, "krb5_storage_seek(dump, 0, SEEK_SET)"); goto done; } vno = 0; ret = krb5_ret_uint32(dump, &vno); if (ret && ret != HEIM_ERR_EOF) { krb5_warn(context, ret, "krb5_ret_uint32(dump, &vno)"); goto done; } if (fstat(fd, &st) == -1) { ret = errno; krb5_warn(context, ret, "send_complete: could not stat dump file"); goto done; } /* * If the current dump has an appropriate version, then we can * break out of the loop and send the file below. */ if (ret == 0 && vno != 0 && st.st_mtime > initial_log_tstamp && vno >= oldest_version && vno <= current_version) break; if (verbose) krb5_warnx(context, "send_complete: dumping HDB"); /* * Otherwise, we may need to write a new dump file. We * obtain an exclusive lock on the fd. Because this is * not guaranteed to be an upgrade of our existing shared * lock, someone else may have written a new dumpfile while * we were waiting and so we must first check the vno of * the dump to see if that happened. If it did, we need * to go back to the top of the loop so that we can downgrade * our lock to a shared one. */ ret = flock(fd, LOCK_EX); if (ret == -1) { ret = errno; krb5_warn(context, ret, "flock(fd, LOCK_EX)"); goto done; } ret = krb5_storage_seek(dump, 0, SEEK_SET); if (ret == -1) { ret = errno; krb5_warn(context, ret, "krb5_storage_seek(dump, 0, SEEK_SET)"); goto done; } vno = 0; ret = krb5_ret_uint32(dump, &vno); if (ret && ret != HEIM_ERR_EOF) { krb5_warn(context, ret, "krb5_ret_uint32(dump, &vno)"); goto done; } if (fstat(fd, &st) == -1) { ret = errno; krb5_warn(context, ret, "send_complete: could not stat dump file"); goto done; } /* check if someone wrote a better version for us */ if (ret == 0 && vno != 0 && st.st_mtime > initial_log_tstamp && vno >= oldest_version && vno <= current_version) continue; /* Now, we know that we must write a new dump file. */ ret = write_dump(context, dump, database, current_version); if (ret) goto done; /* * And we must continue to the top of the loop so that we can * downgrade to a shared lock. */ } /* * Leaving the above loop, dump should have a ptr right after the initial * 4 byte DB version number and we should have a shared lock on the file * (which we may have just created), so we are reading to simply blast * the data down the wire. */ for (;;) { ret = krb5_ret_data(dump, &data); if (ret == HEIM_ERR_EOF) { ret = 0; /* EOF is not an error, it's success */ goto done; } if (ret) { krb5_warn(context, ret, "krb5_ret_data(dump, &data)"); slave_dead(context, s); goto done; } ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); krb5_data_free(&data); if (ret) { krb5_warn (context, ret, "krb5_write_priv_message"); slave_dead(context, s); goto done; } } done: if (!ret) { s->version = vno; slave_seen(s); } if (fd != -1) close(fd); if (dump) krb5_storage_free(dump); return ret; }
static int propagate_database (krb5_context context, int type, const char *database_name, HDB *db, krb5_ccache ccache, int optidx, int argc, char **argv) { krb5_principal server; krb5_error_code ret; int i, failed = 0; for(i = optidx; i < argc; i++){ krb5_auth_context auth_context; int fd; struct prop_data pd; krb5_data data; char *port, portstr[NI_MAXSERV]; char *host = argv[i]; port = strchr(host, ':'); if(port == NULL) { snprintf(portstr, sizeof(portstr), "%u", ntohs(krb5_getportbyname (context, "hprop", "tcp", HPROP_PORT))); port = portstr; } else *port++ = '\0'; fd = open_socket(context, host, port); if(fd < 0) { failed++; krb5_warn (context, errno, "connect %s", host); continue; } ret = krb5_sname_to_principal(context, argv[i], HPROP_NAME, KRB5_NT_SRV_HST, &server); if(ret) { failed++; krb5_warn(context, ret, "krb5_sname_to_principal(%s)", host); close(fd); continue; } if (local_realm) { krb5_realm my_realm; krb5_get_default_realm(context,&my_realm); krb5_principal_set_realm(context,server,my_realm); krb5_xfree(my_realm); } auth_context = NULL; ret = krb5_sendauth(context, &auth_context, &fd, HPROP_VERSION, NULL, server, AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, NULL, /* in_data */ NULL, /* in_creds */ ccache, NULL, NULL, NULL); krb5_free_principal(context, server); if(ret) { failed++; krb5_warn(context, ret, "krb5_sendauth (%s)", host); close(fd); goto next_host; } pd.context = context; pd.auth_context = auth_context; pd.sock = fd; ret = iterate (context, database_name, db, type, &pd); if (ret) { krb5_warnx(context, "iterate to host %s failed", host); failed++; goto next_host; } krb5_data_zero (&data); ret = krb5_write_priv_message(context, auth_context, &fd, &data); if(ret) { krb5_warn(context, ret, "krb5_write_priv_message"); failed++; goto next_host; } ret = krb5_read_priv_message(context, auth_context, &fd, &data); if(ret) { krb5_warn(context, ret, "krb5_read_priv_message: %s", host); failed++; goto next_host; } else krb5_data_free (&data); next_host: krb5_auth_con_free(context, auth_context); close(fd); } if (failed) return 1; return 0; }
static int proto (int sock, const char *hostname, const char *svc, char *message, size_t len) { krb5_auth_context auth_context; krb5_error_code status; krb5_principal server; krb5_data data; krb5_data data_send; krb5_ccache ccache; krb5_creds creds; krb5_kdc_flags flags; krb5_principal principal; status = krb5_auth_con_init (context, &auth_context); if (status) { krb5_warn (context, status, "krb5_auth_con_init"); return 1; } status = krb5_auth_con_setaddrs_from_fd (context, auth_context, &sock); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_auth_con_setaddr"); return 1; } status = krb5_sname_to_principal (context, hostname, svc, KRB5_NT_SRV_HST, &server); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_sname_to_principal"); return 1; } status = krb5_sendauth (context, &auth_context, &sock, KF_VERSION_1, NULL, server, AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY, NULL, NULL, NULL, NULL, NULL, NULL); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn(context, status, "krb5_sendauth"); return 1; } if (ccache_name == NULL) ccache_name = ""; data_send.data = (void *)remote_name; data_send.length = strlen(remote_name) + 1; status = krb5_write_priv_message(context, auth_context, &sock, &data_send); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_write_message"); return 1; } data_send.data = (void *)ccache_name; data_send.length = strlen(ccache_name)+1; status = krb5_write_priv_message(context, auth_context, &sock, &data_send); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_write_message"); return 1; } memset (&creds, 0, sizeof(creds)); status = krb5_cc_default (context, &ccache); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_cc_default"); return 1; } status = krb5_cc_get_principal (context, ccache, &principal); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_cc_get_principal"); return 1; } creds.client = principal; status = krb5_make_principal (context, &creds.server, principal->realm, KRB5_TGS_NAME, principal->realm, NULL); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_make_principal"); return 1; } creds.times.endtime = 0; flags.i = 0; flags.b.forwarded = 1; flags.b.forwardable = forwardable; status = krb5_get_forwarded_creds (context, auth_context, ccache, flags.i, hostname, &creds, &data); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_get_forwarded_creds"); return 1; } status = krb5_write_priv_message(context, auth_context, &sock, &data); if (status) { krb5_auth_con_free(context, auth_context); krb5_warn (context, status, "krb5_mk_priv"); return 1; } krb5_data_free (&data); status = krb5_read_priv_message(context, auth_context, &sock, &data); krb5_auth_con_free(context, auth_context); if (status) { krb5_warn (context, status, "krb5_mk_priv"); return 1; } if(data.length >= len) { krb5_warnx (context, "returned string is too long, truncating"); memcpy(message, data.data, len); message[len - 1] = '\0'; } else { memcpy(message, data.data, data.length); message[data.length] = '\0'; } krb5_data_free (&data); return(strcmp(message, "ok")); }