static kadm5_ret_t
kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
krb5_data *in, krb5_data *out)
{
kadm5_ret_t ret;
int32_t cmd, mask, tmp;
kadm5_server_context *contextp = kadm_handlep;
char client[128], name[128], name2[128];
const char *op = "";
krb5_principal princ, princ2;
kadm5_principal_ent_rec ent;
char *password, *expression;
krb5_keyblock *new_keys;
krb5_key_salt_tuple *ks_tuple = NULL;
krb5_boolean keepold = FALSE;
int n_ks_tuple = 0;
int n_keys;
char **princs;
int n_princs;
int keys_ok = 0;
krb5_storage *sp;
krb5_unparse_name_fixed(contextp->context, contextp->caller,
client, sizeof(client));
sp = krb5_storage_from_data(in);
if (sp == NULL)
krb5_errx(contextp->context, 1, "out of memory");
krb5_ret_int32(sp, &cmd);
switch(cmd){
case kadm_get:{
op = "GET";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
ret = krb5_ret_int32(sp, &mask);
if(ret){
krb5_free_principal(contextp->context, princ);
goto fail;
}
mask |= KADM5_PRINCIPAL;
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
/* If the caller doesn't have KADM5_PRIV_GET, we're done. */
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ);
if (ret) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
/* Then check to see if it is ok to return keys */
if ((mask & KADM5_KEY_DATA) != 0) {
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET_KEYS,
princ);
if (ret == 0) {
keys_ok = 1;
} else if ((mask == (KADM5_PRINCIPAL|KADM5_KEY_DATA)) ||
(mask == (KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA))) {
/*
* Requests for keys will get bogus keys, which is useful if
* the client just wants to see what (kvno, enctype)s the
* principal has keys for, but terrible if the client wants to
* write the keys into a keytab or modify the principal and
* write the bogus keys back to the server.
*
* We use a heuristic to detect which case we're handling here.
* If the client only asks for the flags in the above
* condition, then it's very likely a kadmin ext_keytab,
* add_enctype, or other request that should not see bogus
* keys. We deny them.
*
* The kadmin get command can be coaxed into making a request
* with the same mask. But the default long and terse output
* modes request other things too, so in all likelihood this
* heuristic will not hurt any kadmin get uses.
*/
krb5_free_principal(contextp->context, princ);
goto fail;
}
}
ret = kadm5_get_principal(kadm_handlep, princ, &ent, mask);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
if (ret == 0){
if (keys_ok)
kadm5_store_principal_ent(sp, &ent);
else
kadm5_store_principal_ent_nokeys(sp, &ent);
kadm5_free_principal_ent(kadm_handlep, &ent);
}
krb5_free_principal(contextp->context, princ);
break;
}
case kadm_delete:{
op = "DELETE";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_DELETE, princ);
if(ret){
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = kadm5_delete_principal(kadm_handlep, princ);
krb5_free_principal(contextp->context, princ);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_create:{
op = "CREATE";
ret = kadm5_ret_principal_ent(sp, &ent);
if(ret)
goto fail;
ret = krb5_ret_int32(sp, &mask);
if(ret){
kadm5_free_principal_ent(contextp->context, &ent);
goto fail;
}
ret = krb5_ret_string(sp, &password);
if(ret){
kadm5_free_principal_ent(contextp->context, &ent);
goto fail;
}
krb5_unparse_name_fixed(contextp->context, ent.principal,
name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_ADD,
ent.principal);
if(ret){
kadm5_free_principal_ent(contextp->context, &ent);
memset(password, 0, strlen(password));
free(password);
goto fail;
}
ret = kadm5_create_principal(kadm_handlep, &ent,
mask, password);
kadm5_free_principal_ent(kadm_handlep, &ent);
memset(password, 0, strlen(password));
free(password);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_modify:{
op = "MODIFY";
ret = kadm5_ret_principal_ent(sp, &ent);
if(ret)
goto fail;
ret = krb5_ret_int32(sp, &mask);
if(ret){
kadm5_free_principal_ent(contextp, &ent);
goto fail;
}
krb5_unparse_name_fixed(contextp->context, ent.principal,
name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_MODIFY,
ent.principal);
if(ret){
kadm5_free_principal_ent(contextp, &ent);
goto fail;
}
ret = kadm5_modify_principal(kadm_handlep, &ent, mask);
kadm5_free_principal_ent(kadm_handlep, &ent);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_rename:{
op = "RENAME";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
ret = krb5_ret_principal(sp, &princ2);
if(ret){
krb5_free_principal(contextp->context, princ);
goto fail;
}
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_unparse_name_fixed(contextp->context, princ2, name2, sizeof(name2));
krb5_warnx(contextp->context, "%s: %s %s -> %s",
client, op, name, name2);
ret = _kadm5_acl_check_permission(contextp,
KADM5_PRIV_ADD,
princ2)
|| _kadm5_acl_check_permission(contextp,
KADM5_PRIV_DELETE,
princ);
if(ret){
krb5_free_principal(contextp->context, princ);
krb5_free_principal(contextp->context, princ2);
goto fail;
}
ret = kadm5_rename_principal(kadm_handlep, princ, princ2);
krb5_free_principal(contextp->context, princ);
krb5_free_principal(contextp->context, princ2);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_chpass:{
op = "CHPASS";
ret = krb5_ret_principal(sp, &princ);
if (ret)
goto fail;
ret = krb5_ret_string(sp, &password);
if (ret) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = krb5_ret_int32(sp, &keepold);
if (ret && ret != HEIM_ERR_EOF) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
/*
* The change is allowed if at least one of:
*
* a) allowed by sysadmin
* b) it's for the principal him/herself and this was an
* initial ticket, but then, check with the password quality
* function.
* c) the user is on the CPW ACL.
*/
if (krb5_config_get_bool_default(contextp->context, NULL, TRUE,
"kadmin", "allow_self_change_password", NULL)
&& initial
&& krb5_principal_compare (contextp->context, contextp->caller,
princ))
{
krb5_data pwd_data;
const char *pwd_reason;
pwd_data.data = password;
pwd_data.length = strlen(password);
pwd_reason = kadm5_check_password_quality (contextp->context,
princ, &pwd_data);
if (pwd_reason != NULL)
ret = KADM5_PASS_Q_DICT;
else
ret = 0;
} else
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
if(ret) {
krb5_free_principal(contextp->context, princ);
memset(password, 0, strlen(password));
free(password);
goto fail;
}
ret = kadm5_chpass_principal_3(kadm_handlep, princ, keepold, 0, NULL,
password);
krb5_free_principal(contextp->context, princ);
memset(password, 0, strlen(password));
free(password);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_chpass_with_key:{
int i;
krb5_key_data *key_data;
int n_key_data;
op = "CHPASS_WITH_KEY";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
ret = krb5_ret_int32(sp, &n_key_data);
if (ret) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = krb5_ret_int32(sp, &keepold);
if (ret && ret != HEIM_ERR_EOF) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
/* n_key_data will be squeezed into an int16_t below. */
if (n_key_data < 0 || n_key_data >= 1 << 16 ||
(size_t)n_key_data > UINT_MAX/sizeof(*key_data)) {
ret = ERANGE;
krb5_free_principal(contextp->context, princ);
goto fail;
}
key_data = malloc (n_key_data * sizeof(*key_data));
if (key_data == NULL && n_key_data != 0) {
ret = ENOMEM;
krb5_free_principal(contextp->context, princ);
goto fail;
}
for (i = 0; i < n_key_data; ++i) {
ret = kadm5_ret_key_data (sp, &key_data[i]);
if (ret) {
int16_t dummy = i;
kadm5_free_key_data (contextp, &dummy, key_data);
free (key_data);
krb5_free_principal(contextp->context, princ);
goto fail;
}
}
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
/*
* The change is only allowed if the user is on the CPW ACL,
* this it to force password quality check on the user.
*/
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
if(ret) {
int16_t dummy = n_key_data;
kadm5_free_key_data (contextp, &dummy, key_data);
free (key_data);
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = kadm5_chpass_principal_with_key_3(kadm_handlep, princ, keepold,
n_key_data, key_data);
{
int16_t dummy = n_key_data;
kadm5_free_key_data (contextp, &dummy, key_data);
}
free (key_data);
krb5_free_principal(contextp->context, princ);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_randkey:{
op = "RANDKEY";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
/*
* The change is allowed if at least one of:
* a) it's for the principal him/herself and this was an initial ticket
* b) the user is on the CPW ACL.
*/
if (initial
&& krb5_principal_compare (contextp->context, contextp->caller,
princ))
ret = 0;
else
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
if(ret) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
/*
* See comments in kadm5_c_randkey_principal() regarding the
* protocol.
*/
ret = krb5_ret_int32(sp, &keepold);
if (ret != 0 && ret != HEIM_ERR_EOF) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = krb5_ret_int32(sp, &n_ks_tuple);
if (ret != 0 && ret != HEIM_ERR_EOF) {
krb5_free_principal(contextp->context, princ);
goto fail;
} else if (ret == 0) {
size_t i;
if (n_ks_tuple < 0) {
ret = EOVERFLOW;
krb5_free_principal(contextp->context, princ);
goto fail;
}
if ((ks_tuple = calloc(n_ks_tuple, sizeof (*ks_tuple))) == NULL) {
ret = errno;
krb5_free_principal(contextp->context, princ);
goto fail;
}
for (i = 0; i < n_ks_tuple; i++) {
ret = krb5_ret_int32(sp, &ks_tuple[i].ks_enctype);
if (ret != 0) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = krb5_ret_int32(sp, &ks_tuple[i].ks_salttype);
if (ret != 0) {
krb5_free_principal(contextp->context, princ);
goto fail;
}
}
}
ret = kadm5_randkey_principal_3(kadm_handlep, princ, keepold,
n_ks_tuple, ks_tuple, &new_keys,
&n_keys);
krb5_free_principal(contextp->context, princ);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
if(ret == 0){
int i;
krb5_store_int32(sp, n_keys);
for(i = 0; i < n_keys; i++){
krb5_store_keyblock(sp, new_keys[i]);
krb5_free_keyblock_contents(contextp->context, &new_keys[i]);
}
free(new_keys);
}
break;
}
case kadm_get_privs:{
uint32_t privs;
ret = kadm5_get_privs(kadm_handlep, &privs);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
if(ret == 0)
krb5_store_uint32(sp, privs);
break;
}
case kadm_get_princs:{
op = "LIST";
ret = krb5_ret_int32(sp, &tmp);
if(ret)
goto fail;
if(tmp){
ret = krb5_ret_string(sp, &expression);
if(ret)
goto fail;
}else
expression = NULL;
krb5_warnx(contextp->context, "%s: %s %s", client, op,
expression ? expression : "*");
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_LIST, NULL);
if(ret){
free(expression);
goto fail;
}
ret = kadm5_get_principals(kadm_handlep, expression, &princs, &n_princs);
free(expression);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
if(ret == 0){
int i;
krb5_store_int32(sp, n_princs);
for(i = 0; i < n_princs; i++)
krb5_store_string(sp, princs[i]);
kadm5_free_name_list(kadm_handlep, princs, &n_princs);
}
break;
}
default:
krb5_warnx(contextp->context, "%s: UNKNOWN OP %d", client, cmd);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, KADM5_FAILURE);
break;
}
krb5_storage_to_data(sp, out);
krb5_storage_free(sp);
return 0;
fail:
krb5_warn(contextp->context, ret, "%s", op);
krb5_storage_seek(sp, 0, SEEK_SET);
krb5_store_int32(sp, ret);
krb5_storage_to_data(sp, out);
krb5_storage_free(sp);
return 0;
}
int
main(int argc, char **argv)
{
krb5_error_code ret, ret2;
krb5_context context;
krb5_auth_context auth_context;
void *kadm_handle;
kadm5_server_context *server_context;
kadm5_config_params conf;
int master_fd;
krb5_ccache ccache;
krb5_principal server;
char **files;
int optidx = 0;
time_t reconnect_min;
time_t backoff;
time_t reconnect_max;
time_t reconnect;
time_t before = 0;
int restarter_fd = -1;
const char *master;
setprogname(argv[0]);
if (getarg(args, num_args, argc, argv, &optidx))
usage(1);
if (help_flag)
usage(0);
if (version_flag) {
print_version(NULL);
exit(0);
}
if (detach_from_console && daemon_child == -1)
roken_detach_prep(argc, argv, "--daemon-child");
rk_pidfile(NULL);
ret = krb5_init_context(&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
setup_signal();
if (config_file == NULL) {
if (asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)) == -1
|| config_file == NULL)
errx(1, "out of memory");
}
ret = krb5_prepend_config_files_default(config_file, &files);
if (ret)
krb5_err(context, 1, ret, "getting configuration files");
ret = krb5_set_config_files(context, files);
krb5_free_config_files(files);
if (ret)
krb5_err(context, 1, ret, "reading configuration files");
argc -= optidx;
argv += optidx;
if (argc != 1)
usage(1);
master = argv[0];
if (status_file == NULL) {
if (asprintf(&status_file, "%s/ipropd-slave-status", hdb_db_dir(context)) < 0 || status_file == NULL)
krb5_errx(context, 1, "can't allocate status file buffer");
}
krb5_openlog(context, "ipropd-slave", &log_facility);
krb5_set_warn_dest(context, log_facility);
slave_status(context, status_file, "bootstrapping");
ret = krb5_kt_register(context, &hdb_get_kt_ops);
if(ret)
krb5_err(context, 1, ret, "krb5_kt_register");
time_before_lost = parse_time (server_time_lost, "s");
if (time_before_lost < 0)
krb5_errx (context, 1, "couldn't parse time: %s", server_time_lost);
slave_status(context, status_file, "getting credentials from keytab/database");
memset(&conf, 0, sizeof(conf));
if(realm) {
conf.mask |= KADM5_CONFIG_REALM;
conf.realm = realm;
}
ret = kadm5_init_with_password_ctx (context,
KADM5_ADMIN_SERVICE,
NULL,
KADM5_ADMIN_SERVICE,
&conf, 0, 0,
&kadm_handle);
if (ret)
krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
server_context = (kadm5_server_context *)kadm_handle;
slave_status(context, status_file, "creating log file");
ret = server_context->db->hdb_open(context,
server_context->db,
O_RDWR | O_CREAT, 0600);
if (ret)
krb5_err (context, 1, ret, "db->open");
ret = kadm5_log_init (server_context);
if (ret)
krb5_err (context, 1, ret, "kadm5_log_init");
ret = server_context->db->hdb_close (context, server_context->db);
if (ret)
krb5_err (context, 1, ret, "db->close");
get_creds(context, keytab_str, &ccache, master);
ret = krb5_sname_to_principal (context, master, IPROP_NAME,
KRB5_NT_SRV_HST, &server);
if (ret)
krb5_err (context, 1, ret, "krb5_sname_to_principal");
auth_context = NULL;
master_fd = -1;
krb5_appdefault_time(context, config_name, NULL, "reconnect-min",
10, &reconnect_min);
krb5_appdefault_time(context, config_name, NULL, "reconnect-max",
300, &reconnect_max);
krb5_appdefault_time(context, config_name, NULL, "reconnect-backoff",
10, &backoff);
reconnect = reconnect_min;
slave_status(context, status_file, "ipropd-slave started");
roken_detach_finish(NULL, daemon_child);
restarter_fd = restarter(context, NULL);
while (!exit_flag) {
struct timeval to;
time_t now, elapsed;
fd_set readset;
int connected = FALSE;
#ifndef NO_LIMIT_FD_SETSIZE
if (restarter_fd >= FD_SETSIZE)
krb5_errx(context, IPROPD_RESTART, "fd too large");
#endif
FD_ZERO(&readset);
if (restarter_fd > -1)
FD_SET(restarter_fd, &readset);
now = time(NULL);
elapsed = now - before;
if (elapsed < reconnect) {
time_t left = reconnect - elapsed;
krb5_warnx(context, "sleeping %d seconds before "
"retrying to connect", (int)left);
to.tv_sec = left;
to.tv_usec = 0;
if (select(restarter_fd + 1, &readset, NULL, NULL, &to) == 1) {
exit_flag = SIGTERM;
continue;
}
}
before = now;
slave_status(context, status_file, "connecting to master: %s\n", master);
master_fd = connect_to_master (context, master, port_str);
if (master_fd < 0)
goto retry;
reconnect = reconnect_min;
if (auth_context) {
krb5_auth_con_free(context, auth_context);
auth_context = NULL;
krb5_cc_destroy(context, ccache);
get_creds(context, keytab_str, &ccache, master);
}
if (verbose)
krb5_warnx(context, "authenticating to master");
ret = krb5_sendauth (context, &auth_context, &master_fd,
IPROP_VERSION, NULL, server,
AP_OPTS_MUTUAL_REQUIRED, NULL, NULL,
ccache, NULL, NULL, NULL);
if (ret) {
krb5_warn (context, ret, "krb5_sendauth");
goto retry;
}
krb5_warnx(context, "ipropd-slave started at version: %ld",
(long)server_context->log_context.version);
ret = ihave(context, auth_context, master_fd,
server_context->log_context.version);
if (ret)
goto retry;
connected = TRUE;
if (verbose)
krb5_warnx(context, "connected to master");
slave_status(context, status_file, "connected to master, waiting instructions");
while (connected && !exit_flag) {
krb5_data out;
krb5_storage *sp;
uint32_t tmp;
int max_fd;
#ifndef NO_LIMIT_FD_SETSIZE
if (master_fd >= FD_SETSIZE)
krb5_errx(context, IPROPD_RESTART, "fd too large");
if (restarter_fd >= FD_SETSIZE)
krb5_errx(context, IPROPD_RESTART, "fd too large");
max_fd = max(restarter_fd, master_fd);
#endif
FD_ZERO(&readset);
FD_SET(master_fd, &readset);
if (restarter_fd != -1)
FD_SET(restarter_fd, &readset);
to.tv_sec = time_before_lost;
to.tv_usec = 0;
ret = select (max_fd + 1,
&readset, NULL, NULL, &to);
if (ret < 0) {
if (errno == EINTR)
continue;
else
krb5_err (context, 1, errno, "select");
}
if (ret == 0) {
krb5_warnx(context, "server didn't send a message "
"in %d seconds", time_before_lost);
connected = FALSE;
continue;
}
if (restarter_fd > -1 && FD_ISSET(restarter_fd, &readset)) {
if (verbose)
krb5_warnx(context, "slave restarter exited");
exit_flag = SIGTERM;
}
if (!FD_ISSET(master_fd, &readset))
continue;
if (verbose)
krb5_warnx(context, "message from master");
ret = krb5_read_priv_message(context, auth_context, &master_fd, &out);
if (ret) {
krb5_warn(context, ret, "krb5_read_priv_message");
connected = FALSE;
continue;
}
sp = krb5_storage_from_mem (out.data, out.length);
if (sp == NULL)
krb5_err(context, IPROPD_RESTART, errno, "krb5_storage_from_mem");
ret = krb5_ret_uint32(sp, &tmp);
if (ret == HEIM_ERR_EOF) {
krb5_warn(context, ret, "master sent zero-length message");
connected = FALSE;
continue;
}
if (ret != 0) {
krb5_warn(context, ret, "couldn't read master's message");
connected = FALSE;
continue;
}
ret = server_context->db->hdb_open(context,
server_context->db,
O_RDWR | O_CREAT, 0600);
if (ret)
krb5_err (context, 1, ret, "db->open while handling a "
"message from the master");
ret = kadm5_log_init(server_context);
if (ret) {
krb5_err(context, IPROPD_RESTART, ret, "kadm5_log_init while "
"handling a message from the master");
}
ret = server_context->db->hdb_close (context, server_context->db);
if (ret)
krb5_err (context, 1, ret, "db->close while handling a "
"message from the master");
switch (tmp) {
case FOR_YOU :
if (verbose)
krb5_warnx(context, "master sent us diffs");
ret2 = receive(context, sp, server_context);
if (ret2)
krb5_warn(context, ret2,
"receive from ipropd-master had errors");
ret = ihave(context, auth_context, master_fd,
server_context->log_context.version);
if (ret || ret2)
connected = FALSE;
/*
* If it returns an error, receive() may nonetheless
* have committed some entries successfully, so we must
* update the slave_status even if there were errors.
*/
is_up_to_date(context, status_file, server_context);
break;
case TELL_YOU_EVERYTHING :
if (verbose)
krb5_warnx(context, "master sent us a full dump");
ret = receive_everything(context, master_fd, server_context,
auth_context);
if (ret == 0) {
ret = ihave(context, auth_context, master_fd,
server_context->log_context.version);
}
if (ret)
connected = FALSE;
else
is_up_to_date(context, status_file, server_context);
break;
case ARE_YOU_THERE :
if (verbose)
krb5_warnx(context, "master sent us a ping");
is_up_to_date(context, status_file, server_context);
ret = ihave(context, auth_context, master_fd,
server_context->log_context.version);
if (ret)
connected = FALSE;
send_im_here(context, master_fd, auth_context);
break;
case YOU_HAVE_LAST_VERSION:
if (verbose)
krb5_warnx(context, "master tells us we are up to date");
is_up_to_date(context, status_file, server_context);
break;
case NOW_YOU_HAVE :
case I_HAVE :
case ONE_PRINC :
case I_AM_HERE :
default :
krb5_warnx (context, "Ignoring command %d", tmp);
break;
}
krb5_storage_free (sp);
krb5_data_free (&out);
}
slave_status(context, status_file, "disconnected from master");
retry:
if (connected == FALSE)
krb5_warnx (context, "disconnected for server");
if (exit_flag)
krb5_warnx (context, "got an exit signal");
if (master_fd >= 0)
close(master_fd);
reconnect += backoff;
if (reconnect > reconnect_max) {
slave_status(context, status_file, "disconnected from master for a long time");
reconnect = reconnect_max;
}
}
if (status_file) {
/* XXX It'd be better to leave it saying we're not here */
unlink(status_file);
}
if (0);
#ifndef NO_SIGXCPU
else if(exit_flag == SIGXCPU)
krb5_warnx(context, "%s CPU time limit exceeded", getprogname());
#endif
else if(exit_flag == SIGINT || exit_flag == SIGTERM)
krb5_warnx(context, "%s terminated", getprogname());
else
krb5_warnx(context, "%s unexpected exit reason: %ld",
getprogname(), (long)exit_flag);
return 0;
}
static krb5_error_code
receive_everything (krb5_context context, int fd,
kadm5_server_context *server_context,
krb5_auth_context auth_context)
{
int ret;
krb5_data data;
int32_t vno = 0;
int32_t opcode;
krb5_storage *sp;
char *dbname;
HDB *mydb;
krb5_warnx(context, "receive complete database");
ret = asprintf(&dbname, "%s-NEW", server_context->db->hdb_name);
if (ret == -1)
krb5_err(context, 1, ENOMEM, "asprintf");
ret = hdb_create(context, &mydb, dbname);
if(ret)
krb5_err(context,1, ret, "hdb_create");
free(dbname);
ret = hdb_set_master_keyfile (context,
mydb, server_context->config.stash_file);
if(ret)
krb5_err(context,1, ret, "hdb_set_master_keyfile");
/* I really want to use O_EXCL here, but given that I can't easily clean
up on error, I won't */
ret = mydb->hdb_open(context, mydb, O_RDWR | O_CREAT | O_TRUNC, 0600);
if (ret)
krb5_err (context, 1, ret, "db->open");
sp = NULL;
krb5_data_zero(&data);
do {
ret = krb5_read_priv_message(context, auth_context, &fd, &data);
if (ret) {
krb5_warn (context, ret, "krb5_read_priv_message");
goto cleanup;
}
sp = krb5_storage_from_data (&data);
if (sp == NULL)
krb5_errx (context, 1, "krb5_storage_from_data");
krb5_ret_int32 (sp, &opcode);
if (opcode == ONE_PRINC) {
krb5_data fake_data;
hdb_entry_ex entry;
krb5_storage_free(sp);
fake_data.data = (char *)data.data + 4;
fake_data.length = data.length - 4;
memset(&entry, 0, sizeof(entry));
ret = hdb_value2entry (context, &fake_data, &entry.entry);
if (ret)
krb5_err (context, 1, ret, "hdb_value2entry");
ret = mydb->hdb_store(server_context->context,
mydb,
0, &entry);
if (ret)
krb5_err (context, 1, ret, "hdb_store");
hdb_free_entry (context, &entry);
krb5_data_free (&data);
} else if (opcode == NOW_YOU_HAVE)
;
else
krb5_errx (context, 1, "strange opcode %d", opcode);
} while (opcode == ONE_PRINC);
if (opcode != NOW_YOU_HAVE)
krb5_errx (context, 1, "receive_everything: strange %d", opcode);
krb5_ret_int32 (sp, &vno);
krb5_storage_free(sp);
reinit_log(context, server_context, vno);
ret = mydb->hdb_rename (context, mydb, server_context->db->hdb_name);
if (ret)
krb5_err (context, 1, ret, "db->rename");
cleanup:
krb5_data_free (&data);
ret = mydb->hdb_close (context, mydb);
if (ret)
krb5_err (context, 1, ret, "db->close");
ret = mydb->hdb_destroy (context, mydb);
if (ret)
krb5_err (context, 1, ret, "db->destroy");
krb5_warnx(context, "receive complete database, version %ld", (long)vno);
return ret;
}
static void
test_dh2key(krb5_context context, int i, struct testcase *c)
{
krb5_error_code ret;
krb5_keyblock key;
krb5_principal client, server;
Ticket ticket;
AlgorithmIdentifier ai;
size_t size;
memset(&ticket, 0, sizeof(ticket));
ai.algorithm = *c->oid;
ai.parameters = NULL;
ret = decode_Ticket(c->ticket.data, c->ticket.length, &ticket, &size);
if (ret)
krb5_errx(context, 1, "decode ticket: %d", ret);
ret = krb5_parse_name(context, c->client, &client);
if (ret)
krb5_err(context, 1, ret, "parse_name: %s", c->client);
ret = krb5_parse_name(context, c->server, &server);
if (ret)
krb5_err(context, 1, ret, "parse_name: %s", c->server);
if (verbose_flag) {
char *str;
hex_encode(c->Z.data, c->Z.length, &str);
printf("Z: %s\n", str);
free(str);
printf("client: %s\n", c->client);
printf("server: %s\n", c->server);
printf("enctype: %d\n", (int)c->enctype);
hex_encode(c->as_req.data, c->as_req.length, &str);
printf("as-req: %s\n", str);
free(str);
hex_encode(c->pk_as_rep.data, c->pk_as_rep.length, &str);
printf("pk-as-rep: %s\n", str);
free(str);
hex_encode(c->ticket.data, c->ticket.length, &str);
printf("ticket: %s\n", str);
free(str);
}
ret = _krb5_pk_kdf(context,
&ai,
c->Z.data,
c->Z.length,
client,
server,
c->enctype,
&c->as_req,
&c->pk_as_rep,
&ticket,
&key);
krb5_free_principal(context, client);
krb5_free_principal(context, server);
if (ret)
krb5_err(context, 1, ret, "_krb5_pk_kdf: %d", i);
if (verbose_flag) {
char *str;
hex_encode(key.keyvalue.data, key.keyvalue.length, &str);
printf("key: %s\n", str);
free(str);
}
if (key.keyvalue.length != c->key.length ||
memcmp(key.keyvalue.data, c->key.data, c->key.length) != 0)
krb5_errx(context, 1, "resulting key wrong: %d", i);
krb5_free_keyblock_contents(context, &key);
free_Ticket(&ticket);
}
static void
handle_v5(krb5_context context,
krb5_keytab keytab,
krb5_socket_t fd)
{
krb5_error_code ret;
krb5_ticket *ticket;
char *server_name;
char *client;
void *kadm_handle;
krb5_boolean initial;
krb5_auth_context ac = NULL;
unsigned kadm_version;
kadm5_config_params realm_params;
ret = krb5_recvauth_match_version(context, &ac, &fd,
match_appl_version, &kadm_version,
NULL, KRB5_RECVAUTH_IGNORE_VERSION,
keytab, &ticket);
if(ret == KRB5_KT_NOTFOUND)
krb5_errx(context, 1, "krb5_recvauth: key not found");
if(ret)
krb5_err(context, 1, ret, "krb5_recvauth");
ret = krb5_unparse_name (context, ticket->server, &server_name);
if (ret)
krb5_err (context, 1, ret, "krb5_unparse_name");
if (strncmp (server_name, KADM5_ADMIN_SERVICE,
strlen(KADM5_ADMIN_SERVICE)) != 0)
krb5_errx (context, 1, "ticket for strange principal (%s)",
server_name);
free (server_name);
memset(&realm_params, 0, sizeof(realm_params));
if(kadm_version == 1) {
krb5_data params;
ret = krb5_read_priv_message(context, ac, &fd, ¶ms);
if(ret)
krb5_err(context, 1, ret, "krb5_read_priv_message");
_kadm5_unmarshal_params(context, ¶ms, &realm_params);
}
initial = ticket->ticket.flags.initial;
ret = krb5_unparse_name(context, ticket->client, &client);
if (ret)
krb5_err (context, 1, ret, "krb5_unparse_name");
krb5_free_ticket (context, ticket);
ret = kadm5_s_init_with_password_ctx(context,
client,
NULL,
KADM5_ADMIN_SERVICE,
&realm_params,
0, 0,
&kadm_handle);
if(ret)
krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
v5_loop (context, ac, initial, kadm_handle, fd);
}
int
main(int argc, char **argv)
{
krb5_principal client;
krb5_context context;
const char *in_tkt_service = NULL;
krb5_ccache id;
krb5_error_code ret;
krb5_creds out;
int optidx = 0;
setprogname(argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc > 0)
in_tkt_service = argv[0];
memset(&out, 0, sizeof(out));
ret = krb5_init_context(&context);
if (ret)
krb5_err(context, 1, ret, "krb5_init_context");
ret = krb5_cc_default(context, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_default");
ret = krb5_cc_get_principal(context, id, &client);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_default");
ret = krb5_get_renewed_creds(context,
&out,
client,
id,
in_tkt_service);
if(ret)
krb5_err(context, 1, ret, "krb5_get_renewed_creds");
if (krb5_principal_compare(context, out.client, client) != TRUE)
krb5_errx(context, 1, "return principal is not as expected");
krb5_free_cred_contents(context, &out);
krb5_free_context(context);
return 0;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache ccache = NULL;
HDB *db = NULL;
int optidx = 0;
int type, exit_code;
setprogname(argv[0]);
if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
if(version_flag){
print_version(NULL);
exit(0);
}
ret = krb5_init_context(&context);
if(ret)
exit(1);
/* We may be reading an old database encrypted with a DES master key. */
ret = krb5_allow_weak_crypto(context, 1);
if(ret)
krb5_err(context, 1, ret, "krb5_allow_weak_crypto");
if(local_realm)
krb5_set_default_realm(context, local_realm);
if(encrypt_flag && decrypt_flag)
krb5_errx(context, 1,
"only one of `--encrypt' and `--decrypt' is meaningful");
if(source_type != NULL) {
type = parse_source_type(source_type);
if(type == 0)
krb5_errx(context, 1, "unknown source type `%s'", source_type);
} else
type = HPROP_HEIMDAL;
if(!to_stdout)
get_creds(context, &ccache);
if(decrypt_flag || encrypt_flag) {
ret = hdb_read_master_key(context, mkeyfile, &mkey5);
if(ret && ret != ENOENT)
krb5_err(context, 1, ret, "hdb_read_master_key");
if(ret)
krb5_errx(context, 1, "No master key file found");
}
switch(type) {
case HPROP_MIT_DUMP:
if (database == NULL)
krb5_errx(context, 1, "no dump file specified");
break;
case HPROP_HEIMDAL:
ret = hdb_create (context, &db, database);
if(ret)
krb5_err(context, 1, ret, "hdb_create: %s", database);
ret = db->hdb_open(context, db, O_RDONLY, 0);
if(ret)
krb5_err(context, 1, ret, "db->hdb_open");
break;
default:
krb5_errx(context, 1, "unknown dump type `%d'", type);
break;
}
if (to_stdout)
exit_code = dump_database (context, type, database, db);
else
exit_code = propagate_database (context, type, database,
db, ccache, optidx, argc, argv);
if(ccache != NULL)
krb5_cc_destroy(context, ccache);
if(db != NULL)
(*db->hdb_destroy)(context, db);
krb5_free_context(context);
return exit_code;
}
static int
proto (int sock, const char *service)
{
krb5_auth_context auth_context;
krb5_error_code status;
krb5_principal server;
krb5_ticket *ticket;
char *name;
char hostname[MAXHOSTNAMELEN];
krb5_data packet;
krb5_data data;
uint32_t len, net_len;
ssize_t n;
status = krb5_auth_con_init (context, &auth_context);
if (status)
krb5_err (context, 1, status, "krb5_auth_con_init");
status = krb5_auth_con_setaddrs_from_fd (context,
auth_context,
&sock);
if (status)
krb5_err (context, 1, status, "krb5_auth_con_setaddrs_from_fd");
if(gethostname (hostname, sizeof(hostname)) < 0)
krb5_err (context, 1, errno, "gethostname");
status = krb5_sname_to_principal (context,
hostname,
service,
KRB5_NT_SRV_HST,
&server);
if (status)
krb5_err (context, 1, status, "krb5_sname_to_principal");
status = krb5_recvauth (context,
&auth_context,
&sock,
VERSION,
server,
0,
keytab,
&ticket);
if (status)
krb5_err (context, 1, status, "krb5_recvauth");
status = krb5_unparse_name (context,
ticket->client,
&name);
if (status)
krb5_err (context, 1, status, "krb5_unparse_name");
fprintf (stderr, "User is `%s'\n", name);
free (name);
krb5_data_zero (&data);
krb5_data_zero (&packet);
n = krb5_net_read (context, &sock, &net_len, 4);
if (n == 0)
krb5_errx (context, 1, "EOF in krb5_net_read");
if (n < 0)
krb5_err (context, 1, errno, "krb5_net_read");
len = ntohl(net_len);
krb5_data_alloc (&packet, len);
n = krb5_net_read (context, &sock, packet.data, len);
if (n == 0)
krb5_errx (context, 1, "EOF in krb5_net_read");
if (n < 0)
krb5_err (context, 1, errno, "krb5_net_read");
status = krb5_rd_safe (context,
auth_context,
&packet,
&data,
NULL);
if (status)
krb5_err (context, 1, status, "krb5_rd_safe");
fprintf (stderr, "safe packet: %.*s\n", (int)data.length,
(char *)data.data);
n = krb5_net_read (context, &sock, &net_len, 4);
if (n == 0)
krb5_errx (context, 1, "EOF in krb5_net_read");
if (n < 0)
krb5_err (context, 1, errno, "krb5_net_read");
len = ntohl(net_len);
krb5_data_alloc (&packet, len);
n = krb5_net_read (context, &sock, packet.data, len);
if (n == 0)
krb5_errx (context, 1, "EOF in krb5_net_read");
if (n < 0)
krb5_err (context, 1, errno, "krb5_net_read");
status = krb5_rd_priv (context,
auth_context,
&packet,
&data,
NULL);
if (status)
krb5_err (context, 1, status, "krb5_rd_priv");
fprintf (stderr, "priv packet: %.*s\n", (int)data.length,
(char *)data.data);
return 0;
}
int
main(int argc, char **argv)
{
krb5_principal principal;
krb5_context context;
char *principal_str, *password_str, *str;
int ret, o = 0;
hdb_keyset keyset;
size_t length, len;
void *data;
setprogname(argv[0]);
if(getarg(args, num_args, argc, argv, &o))
krb5_std_usage(1, args, num_args);
if(help_flag)
krb5_std_usage(0, args, num_args);
if(version_flag){
print_version(NULL);
exit(0);
}
ret = krb5_init_context(&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
if (argc != 3)
errx(1, "username and password missing");
principal_str = argv[1];
password_str = argv[2];
ret = krb5_parse_name (context, principal_str, &principal);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name %s", principal_str);
memset(&keyset, 0, sizeof(keyset));
keyset.kvno = kvno_integer;
keyset.set_time = malloc(sizeof (*keyset.set_time));
if (keyset.set_time == NULL)
errx(1, "couldn't allocate set_time field of keyset");
*keyset.set_time = time(NULL);
ret = hdb_generate_key_set_password(context, principal, password_str,
NULL, 0, &keyset.keys.val, &len);
if (ret)
krb5_err(context, 1, ret, "hdb_generate_key_set_password");
keyset.keys.len = len;
if (keyset.keys.len == 0)
krb5_errx (context, 1, "hdb_generate_key_set_password length 0");
krb5_free_principal (context, principal);
ASN1_MALLOC_ENCODE(hdb_keyset, data, length, &keyset, &len, ret);
if (ret)
krb5_errx(context, 1, "encode keyset");
if (len != length)
krb5_abortx(context, "foo");
krb5_free_context(context);
ret = base64_encode(data, length, &str);
if (ret < 0)
errx(1, "base64_encode");
printf("keyset: %s\n", str);
free(data);
return 0;
}
static krb5_error_code
get_new_tickets(krb5_context context,
krb5_principal principal,
krb5_ccache ccache,
krb5_deltat ticket_life,
int interactive)
{
krb5_error_code ret;
krb5_get_init_creds_opt *opt;
krb5_creds cred;
char passwd[256];
krb5_deltat start_time = 0;
krb5_deltat renew = 0;
const char *renewstr = NULL;
krb5_enctype *enctype = NULL;
krb5_ccache tempccache;
krb5_init_creds_context icc;
krb5_keytab kt = NULL;
int will_use_keytab = (use_keytab || keytab_str);
krb5_prompter_fct prompter = NULL;
int need_prompt;
passwd[0] = '\0';
if (password_file) {
FILE *f;
if (strcasecmp("STDIN", password_file) == 0)
f = stdin;
else
f = fopen(password_file, "r");
if (f == NULL)
krb5_errx(context, 1, "Failed to open the password file %s",
password_file);
if (fgets(passwd, sizeof(passwd), f) == NULL)
krb5_errx(context, 1,
N_("Failed to read password from file %s", ""),
password_file);
if (f != stdin)
fclose(f);
passwd[strcspn(passwd, "\n")] = '\0';
}
#if defined(__APPLE__) && !defined(__APPLE_TARGET_EMBEDDED__)
if (passwd[0] == '\0' && !will_use_keytab && home_directory_flag) {
const char *realm;
OSStatus osret;
UInt32 length;
void *buffer;
char *name;
realm = krb5_principal_get_realm(context, principal);
ret = krb5_unparse_name_flags(context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
if (ret)
goto nopassword;
osret = SecKeychainFindGenericPassword(NULL, (UInt32)strlen(realm), realm,
(UInt32)strlen(name), name,
&length, &buffer, &passwordItem);
free(name);
if (osret != noErr)
goto nopassword;
if (length < sizeof(passwd) - 1) {
memcpy(passwd, buffer, length);
passwd[length] = '\0';
}
SecKeychainItemFreeContent(NULL, buffer);
nopassword:
do { } while(0);
}
#endif
need_prompt = !(pk_user_id || ent_user_id || anonymous_flag || will_use_keytab || passwd[0] != '\0') && interactive;
if (need_prompt)
prompter = krb5_prompter_posix;
else
prompter = krb5_prompter_print_only;
memset(&cred, 0, sizeof(cred));
ret = krb5_get_init_creds_opt_alloc (context, &opt);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
krb5_get_init_creds_opt_set_default_flags(context, "kinit",
krb5_principal_get_realm(context, principal), opt);
if(forwardable_flag != -1)
krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag);
if(proxiable_flag != -1)
krb5_get_init_creds_opt_set_proxiable (opt, proxiable_flag);
if(anonymous_flag)
krb5_get_init_creds_opt_set_anonymous (opt, anonymous_flag);
if (pac_flag != -1)
krb5_get_init_creds_opt_set_pac_request(context, opt,
pac_flag ? TRUE : FALSE);
if (canonicalize_flag)
krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
if (pk_user_id || ent_user_id || anonymous_flag) {
ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
principal,
pk_user_id,
pk_x509_anchors,
NULL,
NULL,
pk_use_enckey ? 2 : 0 |
anonymous_flag ? 4 : 0,
interactive ? krb5_prompter_posix : krb5_prompter_print_only,
NULL,
passwd);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
if (ent_user_id)
krb5_get_init_creds_opt_set_pkinit_user_cert(context, opt, ent_user_id);
}
if (addrs_flag != -1)
krb5_get_init_creds_opt_set_addressless(context, opt,
addrs_flag ? FALSE : TRUE);
if (renew_life == NULL && renewable_flag)
renewstr = "1 month";
if (renew_life)
renewstr = renew_life;
if (renewstr) {
renew = parse_time (renewstr, "s");
if (renew < 0)
errx (1, "unparsable time: %s", renewstr);
krb5_get_init_creds_opt_set_renew_life (opt, renew);
}
if(ticket_life != 0)
krb5_get_init_creds_opt_set_tkt_life (opt, ticket_life);
if(start_str) {
int tmp = parse_time (start_str, "s");
if (tmp < 0)
errx (1, N_("unparsable time: %s", ""), start_str);
start_time = tmp;
}
if(etype_str.num_strings) {
int i;
enctype = malloc(etype_str.num_strings * sizeof(*enctype));
if(enctype == NULL)
errx(1, "out of memory");
for(i = 0; i < etype_str.num_strings; i++) {
ret = krb5_string_to_enctype(context,
etype_str.strings[i],
&enctype[i]);
if(ret)
krb5_err(context, 1, ret, "unrecognized enctype: %s",
etype_str.strings[i]);
}
krb5_get_init_creds_opt_set_etype_list(opt, enctype,
etype_str.num_strings);
}
ret = krb5_init_creds_init(context, principal,
prompter, NULL,
start_time, opt, &icc);
if (ret)
krb5_err (context, 1, ret, "krb5_init_creds_init");
if (server_str) {
ret = krb5_init_creds_set_service(context, icc, server_str);
if (ret)
krb5_err (context, 1, ret, "krb5_init_creds_set_service");
}
if (kdc_hostname)
krb5_init_creds_set_kdc_hostname(context, icc, kdc_hostname);
if (fast_armor_cache_string) {
krb5_ccache fastid;
ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve(FAST cache)");
ret = krb5_init_creds_set_fast_ccache(context, icc, fastid);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_set_fast_ccache");
}
if(will_use_keytab) {
if(keytab_str)
ret = krb5_kt_resolve(context, keytab_str, &kt);
else
ret = krb5_kt_default(context, &kt);
if (ret)
krb5_err (context, 1, ret, "resolving keytab");
ret = krb5_init_creds_set_keytab(context, icc, kt);
if (ret)
krb5_err (context, 1, ret, "krb5_init_creds_set_keytab");
}
if (passwd[0] == '\0' && need_prompt) {
char *p, *prompt;
krb5_unparse_name(context, principal, &p);
asprintf (&prompt, N_("%s's Password: "******""), p);
free(p);
if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
memset(passwd, 0, sizeof(passwd));
errx(1, "failed to read password");
}
free (prompt);
}
if (passwd[0]) {
ret = krb5_init_creds_set_password(context, icc, passwd);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_set_password");
}
ret = krb5_init_creds_get(context, icc);
#ifdef __APPLE__
/*
* Save password in Keychain
*/
if (ret == 0 && keychain_flag && passwordItem == NULL) {
krb5_error_code ret2;
const char *realm;
char *name;
realm = krb5_principal_get_realm(context, principal);
ret2 = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
if (ret2 == 0) {
(void)SecKeychainAddGenericPassword(NULL,
(UInt32)strlen(realm), realm,
(UInt32)strlen(name), name,
(UInt32)strlen(passwd), passwd,
NULL);
free(name);
}
}
#endif
memset(passwd, 0, sizeof(passwd));
switch(ret){
case 0:
break;
case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
exit(1);
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5_GET_IN_TKT_LOOP:
#ifdef __APPLE__
if (passwordItem)
SecKeychainItemDelete(passwordItem);
#endif
krb5_errx(context, 1, N_("Password incorrect", ""));
case KRB5KRB_AP_ERR_V4_REPLY:
krb5_errx(context, 1, N_("Looks like a Kerberos 4 reply", ""));
case KRB5KDC_ERR_KEY_EXPIRED:
krb5_errx(context, 1, N_("Password expired", ""));
default:
krb5_err(context, 1, ret, "krb5_get_init_creds");
}
ret = krb5_init_creds_get_creds(context, icc, &cred);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_get_creds");
krb5_process_last_request(context, opt, icc);
ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
NULL, &tempccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_new_unique");
ret = krb5_init_creds_store(context, icc, tempccache);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_store");
ret = krb5_init_creds_store_config(context, icc, tempccache);
if (ret)
krb5_warn(context, ret, "krb5_init_creds_store_config");
ret = krb5_init_creds_warn_user(context, icc);
if (ret)
krb5_warn(context, ret, "krb5_init_creds_warn_user");
#ifdef __APPLE__
/*
* Set for this case, default to * so that all processes can use
* this cache.
*/
{
heim_array_t bundleacl = heim_array_create();
heim_string_t ace;
if (bundle_acl_strings.num_strings > 0) {
int i;
for (i = 0; i < bundle_acl_strings.num_strings; i++) {
ace = heim_string_create(bundle_acl_strings.strings[i]);
heim_array_append_value(bundleacl, ace);
heim_release(ace);
}
} else {
ace = heim_string_create("*");
heim_array_append_value(bundleacl, ace);
heim_release(ace);
}
krb5_cc_set_acl(context, tempccache, "kHEIMAttrBundleIdentifierACL", bundleacl);
heim_release(bundleacl);
}
#endif
ret = krb5_cc_move(context, tempccache, ccache);
if (ret) {
(void)krb5_cc_destroy(context, tempccache);
krb5_err (context, 1, ret, "krb5_cc_move");
}
if (switch_cache_flags)
krb5_cc_switch(context, ccache);
if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
unsigned char d = 0;
krb5_data data;
if (ok_as_delegate_flag || windows_flag)
d |= 1;
if (use_referrals_flag || windows_flag)
d |= 2;
data.length = 1;
data.data = &d;
krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
}
if (enctype)
free(enctype);
krb5_init_creds_free(context, icc);
krb5_get_init_creds_opt_free(context, opt);
if (kt)
krb5_kt_close(context, kt);
#ifdef __APPLE__
if (passwordItem)
CFRelease(passwordItem);
#endif
return 0;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache cache;
krb5_creds *out;
int optidx = 0;
krb5_get_creds_opt opt;
krb5_principal server;
krb5_principal impersonate = NULL;
setprogname (argv[0]);
ret = krb5_init_context (&context);
if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc != 1)
usage (1);
if(cache_str) {
ret = krb5_cc_resolve(context, cache_str, &cache);
if (ret)
krb5_err (context, 1, ret, "%s", cache_str);
} else {
ret = krb5_cc_default (context, &cache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_resolve");
}
ret = krb5_get_creds_opt_alloc(context, &opt);
if (ret)
krb5_err (context, 1, ret, "krb5_get_creds_opt_alloc");
if (etype_str) {
krb5_enctype enctype;
ret = krb5_string_to_enctype(context, etype_str, &enctype);
if (ret)
krb5_errx (context, 1, "unrecognized enctype: %s", etype_str);
krb5_get_creds_opt_set_enctype(context, opt, enctype);
}
if (impersonate_str) {
ret = krb5_parse_name(context, impersonate_str, &impersonate);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name %s", impersonate_str);
krb5_get_creds_opt_set_impersonate(context, opt, impersonate);
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
}
if (out_cache_str)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_STORE);
if (forwardable_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_FORWARDABLE);
if (!transit_flag)
krb5_get_creds_opt_add_options(context, opt, KRB5_GC_NO_TRANSIT_CHECK);
if (delegation_cred_str) {
krb5_ccache id;
krb5_creds c, mc;
Ticket ticket;
krb5_cc_clear_mcred(&mc);
ret = krb5_cc_get_principal(context, cache, &mc.server);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_get_principal");
ret = krb5_cc_resolve(context, delegation_cred_str, &id);
if(ret)
krb5_err (context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_retrieve_cred(context, id, 0, &mc, &c);
if(ret)
krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
ret = decode_Ticket(c.ticket.data, c.ticket.length, &ticket, NULL);
if (ret) {
krb5_clear_error_string(context);
krb5_err (context, 1, ret, "decode_Ticket");
}
krb5_free_cred_contents(context, &c);
ret = krb5_get_creds_opt_set_ticket(context, opt, &ticket);
if(ret)
krb5_err (context, 1, ret, "krb5_get_creds_opt_set_ticket");
free_Ticket(&ticket);
krb5_cc_close (context, id);
krb5_free_principal(context, mc.server);
krb5_get_creds_opt_add_options(context, opt,
KRB5_GC_CONSTRAINED_DELEGATION);
}
ret = krb5_parse_name(context, argv[0], &server);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]);
if (nametype_str) {
ret = krb5_parse_nametype(context, nametype_str,
&server->name.name_type);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_nametype");
}
ret = krb5_get_creds(context, opt, cache, server, &out);
if (ret)
krb5_err (context, 1, ret, "krb5_get_creds");
if (out_cache_str) {
krb5_ccache id;
ret = krb5_cc_resolve(context, out_cache_str, &id);
if(ret)
krb5_err (context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_initialize(context, id, out->client);
if(ret)
krb5_err (context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_store_cred(context, id, out);
if(ret)
krb5_err (context, 1, ret, "krb5_cc_store_cred");
krb5_cc_close (context, id);
}
krb5_free_creds(context, out);
krb5_free_principal(context, server);
krb5_get_creds_opt_free(context, opt);
krb5_cc_close (context, cache);
krb5_free_context (context);
return 0;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_kdc_configuration *config;
krb5_storage *sp;
int fd, optidx = 0;
setprogname(argv[0]);
if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
if(version_flag){
print_version(NULL);
exit(0);
}
ret = krb5_init_context(&context);
if (ret)
errx (1, "krb5_init_context failed to parse configuration file");
ret = krb5_kdc_get_config(context, &config);
if (ret)
krb5_err(context, 1, ret, "krb5_kdc_default_config");
kdc_openlog(context, "kdc-replay", config);
ret = krb5_kdc_set_dbinfo(context, config);
if (ret)
krb5_err(context, 1, ret, "krb5_kdc_set_dbinfo");
#ifdef PKINIT
if (config->enable_pkinit) {
if (config->pkinit_kdc_identity == NULL)
krb5_errx(context, 1, "pkinit enabled but no identity");
if (config->pkinit_kdc_anchors == NULL)
krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
krb5_kdc_pk_initialize(context, config,
config->pkinit_kdc_identity,
config->pkinit_kdc_anchors,
config->pkinit_kdc_cert_pool,
config->pkinit_kdc_revoke);
}
#endif /* PKINIT */
if (argc != 2)
errx(1, "argc != 2");
printf("kdc replay\n");
fd = open(argv[1], O_RDONLY);
if (fd < 0)
err(1, "open: %s", argv[1]);
sp = krb5_storage_from_fd(fd);
if (sp == NULL)
krb5_errx(context, 1, "krb5_storage_from_fd");
while(1) {
struct sockaddr_storage sa;
krb5_socklen_t salen = sizeof(sa);
struct timeval tv;
krb5_address a;
krb5_data d, r;
uint32_t t, clty, tag;
char astr[80];
ret = krb5_ret_uint32(sp, &t);
if (ret == HEIM_ERR_EOF)
break;
else if (ret)
krb5_errx(context, 1, "krb5_ret_uint32(version)");
if (t != 1)
krb5_errx(context, 1, "version not 1");
ret = krb5_ret_uint32(sp, &t);
if (ret)
krb5_errx(context, 1, "krb5_ret_uint32(time)");
ret = krb5_ret_address(sp, &a);
if (ret)
krb5_errx(context, 1, "krb5_ret_address");
ret = krb5_ret_data(sp, &d);
if (ret)
krb5_errx(context, 1, "krb5_ret_data");
ret = krb5_ret_uint32(sp, &clty);
if (ret)
krb5_errx(context, 1, "krb5_ret_uint32(class|type)");
ret = krb5_ret_uint32(sp, &tag);
if (ret)
krb5_errx(context, 1, "krb5_ret_uint32(tag)");
ret = krb5_addr2sockaddr (context, &a, (struct sockaddr *)&sa,
&salen, 88);
if (ret == KRB5_PROG_ATYPE_NOSUPP)
goto out;
else if (ret)
krb5_err(context, 1, ret, "krb5_addr2sockaddr");
ret = krb5_print_address(&a, astr, sizeof(astr), NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_print_address");
printf("processing request from %s, %lu bytes\n",
astr, (unsigned long)d.length);
r.length = 0;
r.data = NULL;
tv.tv_sec = t;
tv.tv_usec = 0;
krb5_kdc_update_time(&tv);
krb5_set_real_time(context, tv.tv_sec, 0);
ret = krb5_kdc_process_request(context, config, d.data, d.length,
&r, NULL, astr,
(struct sockaddr *)&sa, 0);
if (ret)
krb5_err(context, 1, ret, "krb5_kdc_process_request");
if (r.length) {
Der_class cl;
Der_type ty;
unsigned int tag2;
ret = der_get_tag (r.data, r.length,
&cl, &ty, &tag2, NULL);
if (MAKE_TAG(cl, ty, 0) != clty)
krb5_errx(context, 1, "class|type mismatch: %d != %d",
(int)MAKE_TAG(cl, ty, 0), (int)clty);
if (tag != tag2)
krb5_errx(context, 1, "tag mismatch");
krb5_data_free(&r);
} else {
if (clty != 0xffffffff)
krb5_errx(context, 1, "clty not invalid");
if (tag != 0xffffffff)
krb5_errx(context, 1, "tag not invalid");
}
out:
krb5_data_free(&d);
krb5_free_address(context, &a);
}
krb5_storage_free(sp);
krb5_free_context(context);
printf("done\n");
return 0;
}
static void
test_cf2(krb5_context context)
{
krb5_error_code ret;
krb5_data pw, p1, p2;
krb5_salt salt;
krb5_keyblock k1, k2, k3;
krb5_crypto c1, c2;
unsigned int i;
unsigned int errors = 0;
ret = krb5_allow_weak_crypto(context, 1);
if (ret)
krb5_err(context, 1, ret, "krb5_allow_weak_crypto");
for (i = 0; i < sizeof(cf2)/sizeof(cf2[0]); i++) {
pw.data = cf2[i].p1;
pw.length = strlen(cf2[i].p1);
salt.salttype = (krb5_salttype)KRB5_PADATA_PW_SALT;
salt.saltvalue.data = cf2[i].p1;
salt.saltvalue.length = strlen(cf2[i].p1);
ret = krb5_string_to_key_data_salt(context,
cf2[i].e1,
pw,
salt,
&k1);
if (ret)
krb5_err(context, 1, ret, "krb5_string_to_key_data_salt");
ret = krb5_crypto_init(context, &k1, 0, &c1);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_init");
pw.data = cf2[i].p2;
pw.length = strlen(cf2[i].p2);
salt.saltvalue.data = cf2[i].p2;
salt.saltvalue.length = strlen(cf2[i].p2);
ret = krb5_string_to_key_data_salt(context,
cf2[i].e2,
pw,
salt,
&k2);
if (ret)
krb5_err(context, 1, ret, "krb5_string_to_key_data_salt");
ret = krb5_crypto_init(context, &k2, 0, &c2);
if (ret)
krb5_err(context, 1, ret, "krb5_crypto_init");
p1.data = cf2[i].pepper1;
p1.length = strlen(cf2[i].pepper1);
p2.data = cf2[i].pepper2;
p2.length = strlen(cf2[i].pepper2);
ret = krb5_crypto_fx_cf2(context, c1, c2, &p1, &p2, cf2[i].e3, &k3);
if (ret == KRB5_PROG_ETYPE_NOSUPP) {
krb5_warn(context, ret, "KRB-FX-CF2 not supported for enctype %d",
cf2[i].e1);
continue;
} else if (ret) {
krb5_err(context, 1, ret, "krb5_crypto_fx_cf2");
}
if (k3.keytype != cf2[i].e3) {
errors++;
krb5_warnx(context, "length not right for enctype %d", cf2[i].e3);
continue;
}
if (k3.keyvalue.length != cf2[i].len ||
memcmp(k3.keyvalue.data, cf2[i].key, cf2[i].len) != 0) {
errors++;
krb5_warnx(context, "key not same for enctypes %d %d %d",
cf2[i].e1, cf2[i].e2, cf2[i].e3);
continue;
}
krb5_crypto_destroy(context, c1);
krb5_crypto_destroy(context, c2);
krb5_free_keyblock_contents(context, &k1);
krb5_free_keyblock_contents(context, &k2);
krb5_free_keyblock_contents(context, &k3);
}
if (errors)
krb5_errx(context, 1, "%u KRB-FX-CF2 vectors failed", errors);
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache cache;
krb5_creds in, *out;
krb5_kdc_flags flags;
int optind = 0;
flags.i = 0;
ret = krb5_init_context (&context);
if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
usage(1);
if (help_flag)
usage (0);
if(version_flag) {
print_version(NULL);
exit(0);
}
argc -= optind;
argv += optind;
if (argc != 1)
usage (1);
ret = krb5_cc_default(context, &cache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_default");
if(cache_str) {
ret = krb5_cc_resolve(context, cache_str, &cache);
if (ret)
krb5_err (context, 1, ret, "%s", cache_str);
} else {
ret = krb5_cc_default (context, &cache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_resolve");
}
memset(&in, 0, sizeof(in));
if (etype_str) {
krb5_enctype enctype;
ret = krb5_string_to_enctype(context, etype_str, &enctype);
if (ret)
krb5_errx (context, 1, "unrecognized enctype: %s", etype_str);
in.session.keytype = enctype;
}
ret = krb5_cc_get_principal(context, cache, &in.client);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_get_principal");
ret = krb5_parse_name(context, argv[0], &in.server);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]);
if (!transit_check)
flags.b.disable_transited_check = 1;
if (canonicalize)
flags.b.canonicalize = 1;
in.times.endtime = 0;
ret = krb5_get_credentials_with_flags(context, 0, flags, cache, &in, &out);
if (ret)
krb5_err (context, 1, ret, "krb5_get_credentials");
krb5_free_cred_contents(context, out);
return 0;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache ccache = NULL;
HDB *db = NULL;
int optind = 0;
int type = 0;
if(getarg(args, num_args, argc, argv, &optind))
usage(1);
if(help_flag)
usage(0);
if(version_flag){
print_version(NULL);
exit(0);
}
ret = krb5_init_context(&context);
if(ret)
exit(1);
if(local_realm)
krb5_set_default_realm(context, local_realm);
if(v4_realm == NULL) {
ret = krb5_get_default_realm(context, &v4_realm);
if(ret)
krb5_err(context, 1, ret, "krb5_get_default_realm");
}
if(afs_cell == NULL) {
afs_cell = strdup(v4_realm);
if(afs_cell == NULL)
krb5_errx(context, 1, "out of memory");
strlwr(afs_cell);
}
if(encrypt_flag && decrypt_flag)
krb5_errx(context, 1,
"only one of `--encrypt' and `--decrypt' is meaningful");
if(source_type != NULL) {
type = parse_source_type(source_type);
if(type == 0)
krb5_errx(context, 1, "unknown source type `%s'", source_type);
} else if(type == 0)
type = HPROP_HEIMDAL;
if(!to_stdout)
get_creds(context, &ccache);
if(decrypt_flag || encrypt_flag) {
ret = hdb_read_master_key(context, mkeyfile, &mkey5);
if(ret && ret != ENOENT)
krb5_err(context, 1, ret, "hdb_read_master_key");
if(ret)
krb5_errx(context, 1, "No master key file found");
}
#ifdef KRB4
if (IS_TYPE_V4(type)) {
int e;
if (v4_realm == NULL) {
e = krb_get_lrealm(realm_buf, 1);
if(e)
krb5_errx(context, 1, "krb_get_lrealm: %s",
krb_get_err_text(e));
v4_realm = realm_buf;
}
}
#endif
switch(type) {
#ifdef KRB4
case HPROP_KRB4_DB:
if (database == NULL)
krb5_errx(context, 1, "no database specified");
break;
#endif
case HPROP_KASERVER:
if (database == NULL)
database = DEFAULT_DATABASE;
ka_use_null_salt = krb5_config_get_bool_default(context, NULL, FALSE,
"hprop",
"afs_uses_null_salt",
NULL);
break;
case HPROP_KRB4_DUMP:
if (database == NULL)
krb5_errx(context, 1, "no dump file specified");
break;
case HPROP_MIT_DUMP:
if (database == NULL)
krb5_errx(context, 1, "no dump file specified");
break;
case HPROP_HEIMDAL:
ret = hdb_create (context, &db, database);
if(ret)
krb5_err(context, 1, ret, "hdb_create: %s", database);
ret = db->hdb_open(context, db, O_RDONLY, 0);
if(ret)
krb5_err(context, 1, ret, "db->hdb_open");
break;
default:
krb5_errx(context, 1, "unknown dump type `%d'", type);
break;
}
if (to_stdout)
dump_database (context, type, database, db);
else
propagate_database (context, type, database,
db, ccache, optind, argc, argv);
if(ccache != NULL)
krb5_cc_destroy(context, ccache);
if(db != NULL)
(*db->hdb_destroy)(context, db);
krb5_free_context(context);
return 0;
}
static void
test_cc_config(krb5_context context)
{
krb5_error_code ret;
krb5_principal p;
krb5_ccache id;
unsigned int i;
ret = krb5_cc_new_unique(context, "MEMORY", "bar", &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_initialize(context, id, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
for (i = 0; i < 1000; i++) {
krb5_data data, data2;
const char *name = "foo";
krb5_principal p1 = NULL;
if (i & 1)
p1 = p;
data.data = rk_UNCONST(name);
data.length = strlen(name);
ret = krb5_cc_set_config(context, id, p1, "FriendlyName", &data);
if (ret)
krb5_errx(context, 1, "krb5_cc_set_config: add");
ret = krb5_cc_get_config(context, id, p1, "FriendlyName", &data2);
if (ret)
krb5_errx(context, 1, "krb5_cc_get_config: first");
krb5_data_free(&data2);
ret = krb5_cc_set_config(context, id, p1, "FriendlyName", &data);
if (ret)
krb5_errx(context, 1, "krb5_cc_set_config: add -second");
ret = krb5_cc_get_config(context, id, p1, "FriendlyName", &data2);
if (ret)
krb5_errx(context, 1, "krb5_cc_get_config: second");
krb5_data_free(&data2);
ret = krb5_cc_set_config(context, id, p1, "FriendlyName", NULL);
if (ret)
krb5_errx(context, 1, "krb5_cc_set_config: delete");
ret = krb5_cc_get_config(context, id, p1, "FriendlyName", &data2);
if (ret == 0)
krb5_errx(context, 1, "krb5_cc_get_config: non-existant");
}
krb5_cc_destroy(context, id);
krb5_free_principal(context, p);
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache ccache;
krb5_principal principal = NULL;
int optidx = 0;
krb5_deltat ticket_life = 0;
#ifdef HAVE_SIGACTION
struct sigaction sa;
#endif
setprogname(argv[0]);
setlocale(LC_ALL, "");
bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR);
textdomain("heimdal_kuser");
ret = krb5_init_context(&context);
if (ret == KRB5_CONFIG_BADFORMAT)
errx(1, "krb5_init_context failed to parse configuration file");
else if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage(0);
if (version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
/*
* Open the keytab now, we use the keytab to determine the principal's
* realm when the requested principal has no realm.
*/
if (use_keytab || keytab_str) {
if (keytab_str)
ret = krb5_kt_resolve(context, keytab_str, &kt);
else
ret = krb5_kt_default(context, &kt);
if (ret)
krb5_err(context, 1, ret, "resolving keytab");
}
if (pk_enterprise_flag) {
ret = krb5_pk_enterprise_cert(context, pk_user_id,
argv[0], &principal,
&ent_user_id);
if (ret)
krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
pk_user_id = NULL;
} else if (anonymous_flag) {
ret = krb5_make_principal(context, &principal, argv[0],
KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_make_principal");
krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
} else if (use_keytab || keytab_str) {
get_princ_kt(context, &principal, argv[0]);
} else {
get_princ(context, &principal, argv[0]);
}
if (fcache_version)
krb5_set_fcache_version(context, fcache_version);
if (renewable_flag == -1)
/* this seems somewhat pointless, but whatever */
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
"renewable", FALSE, &renewable_flag);
if (do_afslog == -1)
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
"afslog", TRUE, &do_afslog);
if (cred_cache)
ret = krb5_cc_resolve(context, cred_cache, &ccache);
else {
if (argc > 1) {
char s[1024];
ret = krb5_cc_new_unique(context, NULL, NULL, &ccache);
if (ret)
krb5_err(context, 1, ret, "creating cred cache");
snprintf(s, sizeof(s), "%s:%s",
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
setenv("KRB5CCNAME", s, 1);
} else {
ret = krb5_cc_cache_match(context, principal, &ccache);
if (ret) {
const char *type;
ret = krb5_cc_default(context, &ccache);
if (ret)
krb5_err(context, 1, ret,
N_("resolving credentials cache", ""));
/*
* Check if the type support switching, and we do,
* then do that instead over overwriting the current
* default credential
*/
type = krb5_cc_get_type(context, ccache);
if (krb5_cc_support_switch(context, type)) {
krb5_cc_close(context, ccache);
ret = get_switched_ccache(context, type, principal,
&ccache);
}
}
}
}
if (ret)
krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
#ifndef NO_AFS
if (argc > 1 && k_hasafs())
k_setpag();
#endif
if (lifetime) {
int tmp = parse_time(lifetime, "s");
if (tmp < 0)
errx(1, N_("unparsable time: %s", ""), lifetime);
ticket_life = tmp;
}
if (addrs_flag == 0 && extra_addresses.num_strings > 0)
krb5_errx(context, 1,
N_("specifying both extra addresses and "
"no addresses makes no sense", ""));
{
int i;
krb5_addresses addresses;
memset(&addresses, 0, sizeof(addresses));
for(i = 0; i < extra_addresses.num_strings; i++) {
ret = krb5_parse_address(context, extra_addresses.strings[i],
&addresses);
if (ret == 0) {
krb5_add_extra_addresses(context, &addresses);
krb5_free_addresses(context, &addresses);
}
}
free_getarg_strings(&extra_addresses);
}
if (renew_flag || validate_flag) {
ret = renew_validate(context, renew_flag, validate_flag,
ccache, server_str, ticket_life);
#ifndef NO_AFS
if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
krb5_afslog(context, ccache, NULL, NULL);
#endif
exit(ret != 0);
}
ret = get_new_tickets(context, principal, ccache, ticket_life, 1);
if (ret)
exit(1);
#ifndef NO_AFS
if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
krb5_afslog(context, ccache, NULL, NULL);
#endif
if (argc > 1) {
struct renew_ctx ctx;
time_t timeout;
timeout = ticket_lifetime(context, ccache, principal,
server_str, NULL) / 2;
ctx.context = context;
ctx.ccache = ccache;
ctx.principal = principal;
ctx.ticket_life = ticket_life;
ctx.timeout = timeout;
#ifdef HAVE_SIGACTION
memset(&sa, 0, sizeof(sa));
sigemptyset(&sa.sa_mask);
sa.sa_handler = handle_siginfo;
sigaction(SIGINFO, &sa, NULL);
#endif
ret = simple_execvp_timed(argv[1], argv+1,
renew_func, &ctx, timeout);
#define EX_NOEXEC 126
#define EX_NOTFOUND 127
if (ret == EX_NOEXEC)
krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
else if (ret == EX_NOTFOUND)
krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
krb5_cc_destroy(context, ccache);
#ifndef NO_AFS
if (k_hasafs())
k_unlog();
#endif
} else {
krb5_cc_close(context, ccache);
ret = 0;
}
krb5_free_principal(context, principal);
if (kt)
krb5_kt_close(context, kt);
krb5_free_context(context);
return ret;
}
int
main(int argc, char **argv)
{
char buf[1024];
krb5_error_code ret;
krb5_enctype enctype;
hdb_master_key mkey;
krb5_program_setup(&context, argc, argv, args, num_args, NULL);
if(help_flag)
krb5_std_usage(0, args, num_args);
if(version_flag){
print_version(NULL);
exit(0);
}
if (master_key_fd != -1 && random_key_flag)
krb5_errx(context, 1, "random-key and master-key-fd "
"is mutual exclusive");
if (keyfile == NULL)
asprintf(&keyfile, "%s/m-key", hdb_db_dir(context));
ret = krb5_string_to_enctype(context, enctype_str, &enctype);
if(ret)
krb5_err(context, 1, ret, "krb5_string_to_enctype");
ret = hdb_read_master_key(context, keyfile, &mkey);
if(ret && ret != ENOENT)
krb5_err(context, 1, ret, "reading master key from %s", keyfile);
if (convert_flag) {
if (ret)
krb5_err(context, 1, ret, "reading master key from %s", keyfile);
} else {
krb5_keyblock key;
krb5_salt salt;
salt.salttype = KRB5_PW_SALT;
/* XXX better value? */
salt.saltvalue.data = NULL;
salt.saltvalue.length = 0;
if (random_key_flag) {
ret = krb5_generate_random_keyblock(context, enctype, &key);
if (ret)
krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
} else {
if(master_key_fd != -1) {
ssize_t n;
n = read(master_key_fd, buf, sizeof(buf));
if(n <= 0)
krb5_err(context, 1, errno, "failed to read passphrase");
buf[n] = '\0';
buf[strcspn(buf, "\r\n")] = '\0';
} else {
if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1))
exit(1);
}
krb5_string_to_key_salt(context, enctype, buf, salt, &key);
}
ret = hdb_add_master_key(context, &key, &mkey);
krb5_free_keyblock_contents(context, &key);
}
{
char *new, *old;
asprintf(&old, "%s.old", keyfile);
asprintf(&new, "%s.new", keyfile);
if(unlink(new) < 0 && errno != ENOENT) {
ret = errno;
goto out;
}
krb5_warnx(context, "writing key to `%s'", keyfile);
ret = hdb_write_master_key(context, new, mkey);
if(ret)
unlink(new);
else {
#ifndef NO_POSIX_LINKS
unlink(old);
if(link(keyfile, old) < 0 && errno != ENOENT) {
ret = errno;
unlink(new);
} else {
#endif
if(rename(new, keyfile) < 0) {
int
main(int argc, char **argv)
{
krb5_context context;
krb5_error_code ret;
int fd, optidx = 0;
krb5_storage *sp;
const char *fn = "test-store-data";
setprogname(argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
ret = krb5_init_context (&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
/*
* Test encoding/decoding of primotive types on diffrent backends
*/
sp = krb5_storage_emem();
if (sp == NULL)
krb5_errx(context, 1, "krb5_storage_emem: no mem");
test_storage(context, sp);
check_too_large(context, sp);
krb5_storage_free(sp);
fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600);
if (fd < 0)
krb5_err(context, 1, errno, "open(%s)", fn);
sp = krb5_storage_from_fd(fd);
close(fd);
if (sp == NULL)
krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn);
test_storage(context, sp);
krb5_storage_free(sp);
unlink(fn);
/*
* test truncate behavior
*/
fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600);
if (fd < 0)
krb5_err(context, 1, errno, "open(%s)", fn);
sp = krb5_storage_from_fd(fd);
if (sp == NULL)
krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn);
test_truncate(context, sp, fd);
krb5_storage_free(sp);
close(fd);
unlink(fn);
krb5_free_context(context);
return 0;
}
static krb5_error_code
get_new_tickets(krb5_context context,
krb5_principal principal,
krb5_ccache ccache,
krb5_deltat ticket_life,
int interactive)
{
krb5_error_code ret;
krb5_get_init_creds_opt *opt;
krb5_creds cred;
char passwd[256];
krb5_deltat start_time = 0;
krb5_deltat renew = 0;
const char *renewstr = NULL;
krb5_enctype *enctype = NULL;
krb5_ccache tempccache;
krb5_keytab kt = NULL;
krb5_init_creds_context ctx;
#ifndef NO_NTLM
struct ntlm_buf ntlmkey;
memset(&ntlmkey, 0, sizeof(ntlmkey));
#endif
passwd[0] = '\0';
if (password_file) {
FILE *f;
if (strcasecmp("STDIN", password_file) == 0)
f = stdin;
else
f = fopen(password_file, "r");
if (f == NULL)
krb5_errx(context, 1, "Failed to open the password file %s",
password_file);
if (fgets(passwd, sizeof(passwd), f) == NULL)
krb5_errx(context, 1,
N_("Failed to read password from file %s", ""),
password_file);
if (f != stdin)
fclose(f);
passwd[strcspn(passwd, "\n")] = '\0';
}
#ifdef __APPLE__
if (passwd[0] == '\0') {
const char *realm;
OSStatus osret;
UInt32 length;
void *buffer;
char *name;
realm = krb5_principal_get_realm(context, principal);
ret = krb5_unparse_name_flags(context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
if (ret)
goto nopassword;
osret = SecKeychainFindGenericPassword(NULL, strlen(realm), realm,
strlen(name), name,
&length, &buffer, NULL);
free(name);
if (osret == noErr && length < sizeof(passwd) - 1) {
memcpy(passwd, buffer, length);
passwd[length] = '\0';
}
nopassword:
do { } while(0);
}
#endif
memset(&cred, 0, sizeof(cred));
ret = krb5_get_init_creds_opt_alloc (context, &opt);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
krb5_get_init_creds_opt_set_default_flags(context, "kinit",
krb5_principal_get_realm(context, principal), opt);
if(forwardable_flag != -1)
krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag);
if(proxiable_flag != -1)
krb5_get_init_creds_opt_set_proxiable (opt, proxiable_flag);
if(anonymous_flag)
krb5_get_init_creds_opt_set_anonymous (opt, anonymous_flag);
if (pac_flag != -1)
krb5_get_init_creds_opt_set_pac_request(context, opt,
pac_flag ? TRUE : FALSE);
if (canonicalize_flag)
krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
if (pk_user_id || ent_user_id || anonymous_flag) {
ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
principal,
pk_user_id,
pk_x509_anchors,
NULL,
NULL,
pk_use_enckey ? 2 : 0 |
anonymous_flag ? 4 : 0,
krb5_prompter_posix,
NULL,
passwd);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
if (ent_user_id)
krb5_get_init_creds_opt_set_pkinit_user_certs(context, opt, ent_user_id);
}
if (addrs_flag != -1)
krb5_get_init_creds_opt_set_addressless(context, opt,
addrs_flag ? FALSE : TRUE);
if (renew_life == NULL && renewable_flag)
renewstr = "1 month";
if (renew_life)
renewstr = renew_life;
if (renewstr) {
renew = parse_time (renewstr, "s");
if (renew < 0)
errx (1, "unparsable time: %s", renewstr);
krb5_get_init_creds_opt_set_renew_life (opt, renew);
}
if(ticket_life != 0)
krb5_get_init_creds_opt_set_tkt_life (opt, ticket_life);
if(start_str) {
int tmp = parse_time (start_str, "s");
if (tmp < 0)
errx (1, N_("unparsable time: %s", ""), start_str);
start_time = tmp;
}
if(etype_str.num_strings) {
int i;
enctype = malloc(etype_str.num_strings * sizeof(*enctype));
if(enctype == NULL)
errx(1, "out of memory");
for(i = 0; i < etype_str.num_strings; i++) {
ret = krb5_string_to_enctype(context,
etype_str.strings[i],
&enctype[i]);
if(ret)
errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
}
krb5_get_init_creds_opt_set_etype_list(opt, enctype,
etype_str.num_strings);
}
ret = krb5_init_creds_init(context, principal, krb5_prompter_posix, NULL, start_time, opt, &ctx);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_init");
if (server_str) {
ret = krb5_init_creds_set_service(context, ctx, server_str);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_set_service");
}
if (fast_armor_cache_string) {
krb5_ccache fastid;
ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve(FAST cache)");
ret = krb5_init_creds_set_fast_ccache(context, ctx, fastid);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_set_fast_ccache");
}
if(use_keytab || keytab_str) {
if(keytab_str)
ret = krb5_kt_resolve(context, keytab_str, &kt);
else
ret = krb5_kt_default(context, &kt);
if (ret)
krb5_err(context, 1, ret, "resolving keytab");
ret = krb5_init_creds_set_keytab(context, ctx, kt);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_set_keytab");
} else if (pk_user_id || ent_user_id || anonymous_flag) {
} else if (!interactive) {
krb5_warnx(context, "Not interactive, failed to get initial ticket");
krb5_get_init_creds_opt_free(context, opt);
return 0;
} else {
if (passwd[0] == '\0') {
char *p, *prompt;
int aret = 0;
ret = krb5_unparse_name (context, principal, &p);
if (!ret) {
aret = asprintf (&prompt, N_("%s's Password: "******""), p);
free (p);
}
if (ret || aret == -1)
errx(1, "failed to generate passwd prompt: not enough memory");
if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
memset(passwd, 0, sizeof(passwd));
errx(1, "failed to read password");
}
free (prompt);
}
if (passwd[0]) {
ret = krb5_init_creds_set_password(context, ctx, passwd);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_set_password");
}
}
ret = krb5_init_creds_get(context, ctx);
#ifndef NO_NTLM
if (ntlm_domain && passwd[0])
heim_ntlm_nt_key(passwd, &ntlmkey);
#endif
memset(passwd, 0, sizeof(passwd));
switch(ret){
case 0:
break;
case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
exit(1);
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
case KRB5KDC_ERR_PREAUTH_FAILED:
krb5_errx(context, 1, N_("Password incorrect", ""));
break;
case KRB5KRB_AP_ERR_V4_REPLY:
krb5_errx(context, 1, N_("Looks like a Kerberos 4 reply", ""));
break;
default:
krb5_err(context, 1, ret, "krb5_get_init_creds");
}
krb5_process_last_request(context, opt, ctx);
ret = krb5_init_creds_get_creds(context, ctx, &cred);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_get_creds");
if(ticket_life != 0) {
if(abs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) {
char life[64];
unparse_time_approx(cred.times.endtime - cred.times.starttime,
life, sizeof(life));
krb5_warnx(context, N_("NOTICE: ticket lifetime is %s", ""), life);
}
}
if(renew_life) {
if(abs(cred.times.renew_till - cred.times.starttime - renew) > 30) {
char life[64];
unparse_time_approx(cred.times.renew_till - cred.times.starttime,
life, sizeof(life));
krb5_warnx(context,
N_("NOTICE: ticket renewable lifetime is %s", ""),
life);
}
}
ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
NULL, &tempccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_new_unique");
ret = krb5_init_creds_store(context, ctx, tempccache);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_store");
krb5_init_creds_free(context, ctx);
ret = krb5_cc_move(context, tempccache, ccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_move");
if (switch_cache_flags)
krb5_cc_switch(context, ccache);
#ifndef NO_NTLM
if (ntlm_domain && ntlmkey.data)
store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
#endif
if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
unsigned char d = 0;
krb5_data data;
if (ok_as_delegate_flag || windows_flag)
d |= 1;
if (use_referrals_flag || windows_flag)
d |= 2;
data.length = 1;
data.data = &d;
krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
}
krb5_get_init_creds_opt_free(context, opt);
if (kt)
krb5_kt_close(context, kt);
if (enctype)
free(enctype);
return 0;
}
krb5_kdc_configuration *
configure(krb5_context context, int argc, char **argv)
{
krb5_kdc_configuration *config;
krb5_error_code ret;
int optidx = 0;
const char *p;
while(getarg(args, num_args, argc, argv, &optidx))
warnx("error at argument `%s'", argv[optidx]);
if(help_flag)
usage (0);
if (version_flag) {
print_version(NULL);
exit(0);
}
if (builtin_hdb_flag) {
char *list;
ret = hdb_list_builtin(context, &list);
if (ret)
krb5_err(context, 1, ret, "listing builtin hdb backends");
printf("builtin hdb backends: %s\n", list);
free(list);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc != 0)
usage(1);
{
char **files;
if (config_file == NULL) {
asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
if (config_file == NULL)
errx(1, "out of memory");
}
ret = krb5_prepend_config_files_default(config_file, &files);
if (ret)
krb5_err(context, 1, ret, "getting configuration files");
ret = krb5_set_config_files(context, files);
krb5_free_config_files(files);
if(ret)
krb5_err(context, 1, ret, "reading configuration files");
}
ret = krb5_kdc_get_config(context, &config);
if (ret)
krb5_err(context, 1, ret, "krb5_kdc_default_config");
kdc_openlog(context, "kdc", config);
ret = krb5_kdc_set_dbinfo(context, config);
if (ret)
krb5_err(context, 1, ret, "krb5_kdc_set_dbinfo");
if(max_request_str)
max_request_tcp = max_request_udp = parse_bytes(max_request_str, NULL);
if(max_request_tcp == 0){
p = krb5_config_get_string (context,
NULL,
"kdc",
"max-request",
NULL);
if(p)
max_request_tcp = max_request_udp = parse_bytes(p, NULL);
}
if(require_preauth != -1)
config->require_preauth = require_preauth;
if(port_str == NULL){
p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL);
if (p != NULL)
port_str = strdup(p);
}
explicit_addresses.len = 0;
if (addresses_str.num_strings) {
int i;
for (i = 0; i < addresses_str.num_strings; ++i)
add_one_address (context, addresses_str.strings[i], i == 0);
free_getarg_strings (&addresses_str);
} else {
char **foo = krb5_config_get_strings (context, NULL,
"kdc", "addresses", NULL);
if (foo != NULL) {
add_one_address (context, *foo++, TRUE);
while (*foo)
add_one_address (context, *foo++, FALSE);
}
}
if(enable_v4 != -1)
config->enable_v4 = enable_v4;
if(enable_v4_cross_realm != -1)
config->enable_v4_cross_realm = enable_v4_cross_realm;
if(enable_524 != -1)
config->enable_524 = enable_524;
if(enable_http == -1)
enable_http = krb5_config_get_bool(context, NULL, "kdc",
"enable-http", NULL);
if(request_log == NULL)
request_log = krb5_config_get_string(context, NULL,
"kdc",
"kdc-request-log",
NULL);
if (krb5_config_get_string(context, NULL, "kdc",
"enforce-transited-policy", NULL))
krb5_errx(context, 1, "enforce-transited-policy deprecated, "
"use [kdc]transited-policy instead");
if (enable_kaserver != -1)
config->enable_kaserver = enable_kaserver;
#ifdef SUPPORT_DETACH
if(detach_from_console == -1)
detach_from_console = krb5_config_get_bool_default(context, NULL,
DETACH_IS_DEFAULT,
"kdc",
"detach", NULL);
#endif /* SUPPORT_DETACH */
if(max_request_tcp == 0)
max_request_tcp = 64 * 1024;
if(max_request_udp == 0)
max_request_udp = 64 * 1024;
if (port_str == NULL)
port_str = "+";
if (v4_realm)
config->v4_realm = v4_realm;
if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4))
krb5_errx(context, 1, "Kerberos 4 enabled but no realm configured");
if(disable_des == -1)
disable_des = krb5_config_get_bool_default(context, NULL,
FALSE,
"kdc",
"disable-des", NULL);
if(disable_des) {
krb5_enctype_disable(context, ETYPE_DES_CBC_CRC);
krb5_enctype_disable(context, ETYPE_DES_CBC_MD4);
krb5_enctype_disable(context, ETYPE_DES_CBC_MD5);
krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
kdc_log(context, config,
0, "DES was disabled, turned off Kerberos V4, 524 "
"and kaserver");
config->enable_v4 = 0;
config->enable_524 = 0;
config->enable_kaserver = 0;
}
krb5_kdc_windc_init(context);
krb5_kdc_pkinit_config(context, config);
return config;
}
int
kswitch(struct kswitch_options *opt, int argc, char **argv)
{
krb5_error_code ret;
krb5_ccache id = NULL;
if (opt->cache_string && opt->principal_string)
krb5_errx(heimtools_context, 1,
N_("Both --cache and --principal given, choose one", ""));
if (opt->interactive_flag) {
krb5_cc_cache_cursor cursor;
krb5_ccache *ids = NULL;
size_t i, len = 0;
char *name;
rtbl_t ct;
ct = rtbl_create();
rtbl_add_column_by_id(ct, 0, "#", 0);
rtbl_add_column_by_id(ct, 1, "Principal", 0);
rtbl_set_column_affix_by_id(ct, 1, " ", "");
rtbl_add_column_by_id(ct, 2, "Type", 0);
rtbl_set_column_affix_by_id(ct, 2, " ", "");
ret = krb5_cc_cache_get_first(heimtools_context, NULL, &cursor);
if (ret)
krb5_err(heimtools_context, 1, ret, "krb5_cc_cache_get_first");
while (krb5_cc_cache_next(heimtools_context, cursor, &id) == 0) {
krb5_principal p;
char num[10];
ret = krb5_cc_get_principal(heimtools_context, id, &p);
if (ret) {
krb5_cc_close(heimtools_context, id);
continue;
}
ret = krb5_unparse_name(heimtools_context, p, &name);
krb5_free_principal(heimtools_context, p);
snprintf(num, sizeof(num), "%d", (int)(len + 1));
rtbl_add_column_entry_by_id(ct, 0, num);
rtbl_add_column_entry_by_id(ct, 1, name);
rtbl_add_column_entry_by_id(ct, 2, krb5_cc_get_type(heimtools_context, id));
free(name);
ids = erealloc(ids, (len + 1) * sizeof(ids[0]));
ids[len] = id;
len++;
}
krb5_cc_cache_end_seq_get(heimtools_context, cursor);
rtbl_format(ct, stdout);
rtbl_destroy(ct);
name = readline("Select number: ");
if (name) {
i = atoi(name);
if (i == 0)
krb5_errx(heimtools_context, 1, "Cache number '%s' is invalid", name);
if (i > len)
krb5_errx(heimtools_context, 1, "Cache number '%s' is too large", name);
id = ids[i - 1];
ids[i - 1] = NULL;
free(name);
} else
krb5_errx(heimtools_context, 1, "No cache selected");
for (i = 0; i < len; i++)
if (ids[i])
krb5_cc_close(heimtools_context, ids[i]);
free(ids);
} else if (opt->principal_string) {
krb5_principal p;
ret = krb5_parse_name(heimtools_context, opt->principal_string, &p);
if (ret)
krb5_err(heimtools_context, 1, ret, "krb5_parse_name: %s",
opt->principal_string);
ret = krb5_cc_cache_match(heimtools_context, p, &id);
if (ret)
krb5_err(heimtools_context, 1, ret,
N_("Did not find principal: %s", ""),
opt->principal_string);
krb5_free_principal(heimtools_context, p);
} else if (opt->cache_string) {
const krb5_cc_ops *ops;
char *str;
int aret;
ops = krb5_cc_get_prefix_ops(heimtools_context, opt->type_string);
if (ops == NULL)
krb5_err(heimtools_context, 1, 0, "krb5_cc_get_prefix_ops");
aret = asprintf(&str, "%s:%s", ops->prefix, opt->cache_string);
if (aret == -1)
krb5_errx(heimtools_context, 1, N_("out of memory", ""));
ret = krb5_cc_resolve(heimtools_context, str, &id);
if (ret)
krb5_err(heimtools_context, 1, ret, "krb5_cc_resolve: %s", str);
free(str);
} else {
krb5_errx(heimtools_context, 1, "missing option for kswitch");
}
ret = krb5_cc_switch(heimtools_context, id);
if (ret)
krb5_err(heimtools_context, 1, ret, "krb5_cc_switch");
krb5_cc_close(heimtools_context, id);
return 0;
}
static kadm5_ret_t
kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
krb5_data *in, krb5_data *out)
{
kadm5_ret_t ret;
int32_t cmd, mask, tmp;
kadm5_server_context *context = kadm_handle;
char client[128], name[128], name2[128];
char *op = "";
krb5_principal princ, princ2;
kadm5_principal_ent_rec ent;
char *password, *expression;
krb5_keyblock *new_keys;
int n_keys;
char **princs;
int n_princs;
krb5_storage *sp;
krb5_unparse_name_fixed(context->context, context->caller,
client, sizeof(client));
sp = krb5_storage_from_data(in);
if (sp == NULL)
krb5_errx(context->context, 1, "out of memory");
krb5_ret_int32(sp, &cmd);
switch(cmd){
case kadm_get:{
op = "GET";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
ret = krb5_ret_int32(sp, &mask);
if(ret){
krb5_free_principal(context->context, princ);
goto fail;
}
mask |= KADM5_PRINCIPAL;
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET, princ);
if(ret){
krb5_free_principal(context->context, princ);
goto fail;
}
ret = kadm5_get_principal(kadm_handle, princ, &ent, mask);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
if(ret == 0){
kadm5_store_principal_ent(sp, &ent);
kadm5_free_principal_ent(kadm_handle, &ent);
}
krb5_free_principal(context->context, princ);
break;
}
case kadm_delete:{
op = "DELETE";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE, princ);
if(ret){
krb5_free_principal(context->context, princ);
goto fail;
}
ret = kadm5_delete_principal(kadm_handle, princ);
krb5_free_principal(context->context, princ);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_create:{
op = "CREATE";
ret = kadm5_ret_principal_ent(sp, &ent);
if(ret)
goto fail;
ret = krb5_ret_int32(sp, &mask);
if(ret){
kadm5_free_principal_ent(context->context, &ent);
goto fail;
}
ret = krb5_ret_string(sp, &password);
if(ret){
kadm5_free_principal_ent(context->context, &ent);
goto fail;
}
krb5_unparse_name_fixed(context->context, ent.principal,
name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD,
ent.principal);
if(ret){
kadm5_free_principal_ent(context->context, &ent);
memset(password, 0, strlen(password));
free(password);
goto fail;
}
ret = kadm5_create_principal(kadm_handle, &ent,
mask, password);
kadm5_free_principal_ent(kadm_handle, &ent);
memset(password, 0, strlen(password));
free(password);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_modify:{
op = "MODIFY";
ret = kadm5_ret_principal_ent(sp, &ent);
if(ret)
goto fail;
ret = krb5_ret_int32(sp, &mask);
if(ret){
kadm5_free_principal_ent(context, &ent);
goto fail;
}
krb5_unparse_name_fixed(context->context, ent.principal,
name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_MODIFY,
ent.principal);
if(ret){
kadm5_free_principal_ent(context, &ent);
goto fail;
}
ret = kadm5_modify_principal(kadm_handle, &ent, mask);
kadm5_free_principal_ent(kadm_handle, &ent);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_rename:{
op = "RENAME";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
ret = krb5_ret_principal(sp, &princ2);
if(ret){
krb5_free_principal(context->context, princ);
goto fail;
}
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_unparse_name_fixed(context->context, princ2, name2, sizeof(name2));
krb5_warnx(context->context, "%s: %s %s -> %s",
client, op, name, name2);
ret = _kadm5_acl_check_permission(context,
KADM5_PRIV_ADD,
princ2)
|| _kadm5_acl_check_permission(context,
KADM5_PRIV_DELETE,
princ);
if(ret){
krb5_free_principal(context->context, princ);
krb5_free_principal(context->context, princ2);
goto fail;
}
ret = kadm5_rename_principal(kadm_handle, princ, princ2);
krb5_free_principal(context->context, princ);
krb5_free_principal(context->context, princ2);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_chpass:{
op = "CHPASS";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
ret = krb5_ret_string(sp, &password);
if(ret){
krb5_free_principal(context->context, princ);
goto fail;
}
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
/*
* The change is allowed if at least one of:
* a) it's for the principal him/herself and this was an
* initial ticket, but then, check with the password quality
* function.
* b) the user is on the CPW ACL.
*/
if (initial
&& krb5_principal_compare (context->context, context->caller,
princ))
{
krb5_data pwd_data;
const char *pwd_reason;
pwd_data.data = password;
pwd_data.length = strlen(password);
pwd_reason = kadm5_check_password_quality (context->context,
princ, &pwd_data);
if (pwd_reason != NULL)
ret = KADM5_PASS_Q_DICT;
else
ret = 0;
} else
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
if(ret) {
krb5_free_principal(context->context, princ);
memset(password, 0, strlen(password));
free(password);
goto fail;
}
ret = kadm5_chpass_principal(kadm_handle, princ, password);
krb5_free_principal(context->context, princ);
memset(password, 0, strlen(password));
free(password);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_chpass_with_key:{
int i;
krb5_key_data *key_data;
int n_key_data;
op = "CHPASS_WITH_KEY";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
ret = krb5_ret_int32(sp, &n_key_data);
if (ret) {
krb5_free_principal(context->context, princ);
goto fail;
}
/* n_key_data will be squeezed into an int16_t below. */
if (n_key_data < 0 || n_key_data >= 1 << 16 ||
n_key_data > UINT_MAX/sizeof(*key_data)) {
ret = ERANGE;
krb5_free_principal(context->context, princ);
goto fail;
}
key_data = malloc (n_key_data * sizeof(*key_data));
if (key_data == NULL && n_key_data != 0) {
ret = ENOMEM;
krb5_free_principal(context->context, princ);
goto fail;
}
for (i = 0; i < n_key_data; ++i) {
ret = kadm5_ret_key_data (sp, &key_data[i]);
if (ret) {
int16_t dummy = i;
kadm5_free_key_data (context, &dummy, key_data);
free (key_data);
krb5_free_principal(context->context, princ);
goto fail;
}
}
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
/*
* The change is only allowed if the user is on the CPW ACL,
* this it to force password quality check on the user.
*/
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
if(ret) {
int16_t dummy = n_key_data;
kadm5_free_key_data (context, &dummy, key_data);
free (key_data);
krb5_free_principal(context->context, princ);
goto fail;
}
ret = kadm5_chpass_principal_with_key(kadm_handle, princ,
n_key_data, key_data);
{
int16_t dummy = n_key_data;
kadm5_free_key_data (context, &dummy, key_data);
}
free (key_data);
krb5_free_principal(context->context, princ);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
break;
}
case kadm_randkey:{
op = "RANDKEY";
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
/*
* The change is allowed if at least one of:
* a) it's for the principal him/herself and this was an initial ticket
* b) the user is on the CPW ACL.
*/
if (initial
&& krb5_principal_compare (context->context, context->caller,
princ))
ret = 0;
else
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
if(ret) {
krb5_free_principal(context->context, princ);
goto fail;
}
ret = kadm5_randkey_principal(kadm_handle, princ,
&new_keys, &n_keys);
krb5_free_principal(context->context, princ);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
if(ret == 0){
int i;
krb5_store_int32(sp, n_keys);
for(i = 0; i < n_keys; i++){
krb5_store_keyblock(sp, new_keys[i]);
krb5_free_keyblock_contents(context->context, &new_keys[i]);
}
free(new_keys);
}
break;
}
case kadm_get_privs:{
uint32_t privs;
ret = kadm5_get_privs(kadm_handle, &privs);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
if(ret == 0)
krb5_store_uint32(sp, privs);
break;
}
case kadm_get_princs:{
op = "LIST";
ret = krb5_ret_int32(sp, &tmp);
if(ret)
goto fail;
if(tmp){
ret = krb5_ret_string(sp, &expression);
if(ret)
goto fail;
}else
expression = NULL;
krb5_warnx(context->context, "%s: %s %s", client, op,
expression ? expression : "*");
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST, NULL);
if(ret){
free(expression);
goto fail;
}
ret = kadm5_get_principals(kadm_handle, expression, &princs, &n_princs);
free(expression);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
if(ret == 0){
int i;
krb5_store_int32(sp, n_princs);
for(i = 0; i < n_princs; i++)
krb5_store_string(sp, princs[i]);
kadm5_free_name_list(kadm_handle, princs, &n_princs);
}
break;
}
default:
krb5_warnx(context->context, "%s: UNKNOWN OP %d", client, cmd);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, KADM5_FAILURE);
break;
}
krb5_storage_to_data(sp, out);
krb5_storage_free(sp);
return 0;
fail:
krb5_warn(context->context, ret, "%s", op);
krb5_storage_seek(sp, 0, SEEK_SET);
krb5_store_int32(sp, ret);
krb5_storage_to_data(sp, out);
krb5_storage_free(sp);
return 0;
}
int
main(int argc, char **argv)
{
int f;
char tf[1024];
char shellbuf[MAX_PATH];
char *p;
char *path;
char **args;
unsigned int i;
int optidx = 0;
setprogname(argv[0]);
if(getarg(getargs, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
#ifdef KRB5
{
krb5_error_code ret;
krb5_context context;
krb5_ccache id;
const char *name;
ret = krb5_init_context(&context);
if (ret) /* XXX should this really call exit ? */
errx(1, "no kerberos 5 support");
ret = krb5_cc_new_unique(context, typename_arg, NULL, &id);
if (ret)
krb5_err(context, 1, ret, "Failed generating credential cache");
name = krb5_cc_get_name(context, id);
if (name == NULL)
krb5_errx(context, 1, "Generated credential cache have no name");
snprintf(tf, sizeof(tf), "%s:%s", krb5_cc_get_type(context, id), name);
ret = krb5_cc_close(context, id);
if (ret)
krb5_err(context, 1, ret, "Failed closing credential cache");
krb5_free_context(context);
esetenv("KRB5CCNAME", tf, 1);
}
#endif
snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT);
f = mkstemp (tf);
if (f < 0)
err(1, "mkstemp failed");
close (f);
unlink (tf);
esetenv("KRBTKFILE", tf, 1);
i = 0;
args = (char **) malloc((argc + 10)*sizeof(char *));
if (args == NULL)
errx (1, "Out of memory allocating %lu bytes",
(unsigned long)((argc + 10)*sizeof(char *)));
if(*argv == NULL) {
if (roken_get_shell(shellbuf, sizeof(shellbuf)) != NULL)
path = strdup(shellbuf);
else
path = strdup("/bin/sh");
} else {
path = strdup(*argv++);
}
if (path == NULL)
errx (1, "Out of memory copying path");
p=strrchr(path, '/');
if(p)
args[i] = strdup(p+1);
else
args[i] = strdup(path);
if (args[i++] == NULL)
errx (1, "Out of memory copying arguments");
while(*argv)
args[i++] = *argv++;
args[i++] = NULL;
if(k_hasafs())
k_setpag();
unsetenv("PAGPID");
execvp(path, args);
if (errno == ENOENT || c_flag) {
char **sh_args = malloc ((i + 2) * sizeof(char *));
unsigned int j;
if (sh_args == NULL)
errx (1, "Out of memory copying sh arguments");
for (j = 1; j < i; ++j)
sh_args[j + 2] = args[j];
sh_args[0] = "sh";
sh_args[1] = "-c";
sh_args[2] = path;
execv ("/bin/sh", sh_args);
}
err (1, "execvp");
}
static int
append_to_log_file(krb5_context context,
kadm5_server_context *server_context,
krb5_storage *sp, off_t start, ssize_t slen)
{
size_t len;
ssize_t sret;
off_t log_off;
int ret, ret2;
void *buf;
if (verbose)
krb5_warnx(context, "appending diffs to log");
if (slen == 0)
return 0;
if (slen < 0)
return EINVAL;
len = slen;
if (len != slen)
return EOVERFLOW;
buf = malloc(len);
if (buf == NULL && len != 0) {
krb5_warn(context, errno, "malloc: no memory");
return ENOMEM;
}
if (krb5_storage_seek(sp, start, SEEK_SET) != start) {
krb5_errx(context, IPROPD_RESTART,
"krb5_storage_seek() failed"); /* can't happen */
}
sret = krb5_storage_read(sp, buf, len);
if (sret < 0)
return errno;
if (len != (size_t)sret) {
/* Can't happen */
krb5_errx(context, IPROPD_RESTART,
"short krb5_storage_read() from memory buffer");
}
log_off = lseek(server_context->log_context.log_fd, 0, SEEK_CUR);
if (log_off == -1)
return errno;
/*
* Use net_write() so we get an errno if less that len bytes were
* written.
*/
sret = net_write(server_context->log_context.log_fd, buf, len);
free(buf);
if (sret != slen)
ret = errno;
else
ret = fsync(server_context->log_context.log_fd);
if (ret == 0)
return 0;
/*
* Attempt to recover from this. First, truncate the log file
* and reset the fd offset. Failure to do this -> unlink the
* log file and re-create it. Since we're the slave, we ought to be
* able to recover from the log being unlinked...
*/
if (ftruncate(server_context->log_context.log_fd, log_off) == -1 ||
lseek(server_context->log_context.log_fd, log_off, SEEK_SET) == -1) {
(void) kadm5_log_end(server_context);
if (unlink(server_context->log_context.log_file) == -1) {
krb5_err(context, IPROPD_FATAL, errno,
"Failed to recover from failure to write log "
"entries from master to disk");
}
ret2 = kadm5_log_init(server_context);
if (ret2) {
krb5_err(context, IPROPD_RESTART_SLOW, ret2,
"Failed to initialize log to recover from "
"failure to write log entries from master to disk");
}
}
if (ret == ENOSPC || ret == EDQUOT || ret == EFBIG) {
/* Unlink the file in these cases. */
krb5_warn(context, IPROPD_RESTART_SLOW,
"Failed to write log entries from master to disk");
(void) kadm5_log_end(server_context);
if (unlink(server_context->log_context.log_file) == -1) {
krb5_err(context, IPROPD_FATAL, errno,
"Failed to recover from failure to write log "
"entries from master to disk");
}
ret2 = kadm5_log_init(server_context);
if (ret2) {
krb5_err(context, IPROPD_RESTART_SLOW, ret2,
"Failed to initialize log to recover from "
"failure to write log entries from master to disk");
}
return ret;
}
/*
* All other errors we treat as fatal here. This includes, for
* example, EIO and EPIPE (sorry, can't log to pipes nor sockets).
*/
krb5_err(context, IPROPD_FATAL, ret,
"Failed to write log entries from master to disk");
}
static int
HandleOP(InitContext)
{
OM_uint32 maj_stat, min_stat, ret_flags;
int32_t hContext, hCred, flags;
krb5_data target_name, in_token;
int32_t new_context_id = 0, gsm_error = 0;
krb5_data out_token = { 0 , NULL };
gss_ctx_id_t ctx;
gss_cred_id_t creds;
gss_name_t gss_target_name;
gss_buffer_desc input_token, output_token;
gss_OID oid = GSS_C_NO_OID;
gss_buffer_t input_token_ptr = GSS_C_NO_BUFFER;
ret32(c, hContext);
ret32(c, hCred);
ret32(c, flags);
retdata(c, target_name);
retdata(c, in_token);
logmessage(c, __FILE__, __LINE__, 0,
"targetname: <%.*s>", (int)target_name.length,
(char *)target_name.data);
ctx = find_handle(c->handles, hContext, handle_context);
if (ctx == NULL)
hContext = 0;
creds = find_handle(c->handles, hCred, handle_cred);
if (creds == NULL)
abort();
input_token.length = target_name.length;
input_token.value = target_name.data;
maj_stat = gss_import_name(&min_stat,
&input_token,
GSS_KRB5_NT_PRINCIPAL_NAME,
&gss_target_name);
if (GSS_ERROR(maj_stat)) {
logmessage(c, __FILE__, __LINE__, 0,
"import name creds failed with: %d", maj_stat);
gsm_error = convert_gss_to_gsm(maj_stat);
goto out;
}
/* oid from flags */
if (in_token.length) {
input_token.length = in_token.length;
input_token.value = in_token.data;
input_token_ptr = &input_token;
if (ctx == NULL)
krb5_errx(context, 1, "initcreds, context NULL, but not first req");
} else {
input_token.length = 0;
input_token.value = NULL;
if (ctx)
krb5_errx(context, 1, "initcreds, context not NULL, but first req");
}
if ((flags & GSS_C_DELEG_FLAG) != 0)
logmessage(c, __FILE__, __LINE__, 0, "init_sec_context delegating");
if ((flags & GSS_C_DCE_STYLE) != 0)
logmessage(c, __FILE__, __LINE__, 0, "init_sec_context dce-style");
maj_stat = gss_init_sec_context(&min_stat,
creds,
&ctx,
gss_target_name,
oid,
flags & 0x7f,
0,
NULL,
input_token_ptr,
NULL,
&output_token,
&ret_flags,
NULL);
if (GSS_ERROR(maj_stat)) {
if (hContext != 0)
del_handle(&c->handles, hContext);
new_context_id = 0;
logmessage(c, __FILE__, __LINE__, 0,
"gss_init_sec_context returns code: %d/%d",
maj_stat, min_stat);
} else {
if (input_token.length == 0)
new_context_id = add_handle(c, handle_context, ctx);
else
new_context_id = hContext;
}
gsm_error = convert_gss_to_gsm(maj_stat);
if (output_token.length) {
out_token.data = output_token.value;
out_token.length = output_token.length;
}
out:
logmessage(c, __FILE__, __LINE__, 0,
"InitContext return code: %d", gsm_error);
put32(c, new_context_id);
put32(c, gsm_error);
putdata(c, out_token);
gss_release_name(&min_stat, &gss_target_name);
if (output_token.length)
gss_release_buffer(&min_stat, &output_token);
krb5_data_free(&in_token);
krb5_data_free(&target_name);
return 0;
}
static void
receive_loop (krb5_context context,
krb5_storage *sp,
kadm5_server_context *server_context)
{
int ret;
off_t left, right;
void *buf;
int32_t vers, vers2;
ssize_t sret;
/*
* Seek to the current version of the local database.
*/
do {
int32_t len, timestamp, tmp;
if(krb5_ret_int32 (sp, &vers) != 0)
return;
krb5_ret_int32 (sp, ×tamp);
krb5_ret_int32 (sp, &tmp);
krb5_ret_int32 (sp, &len);
if ((uint32_t)vers <= server_context->log_context.version)
krb5_storage_seek(sp, len + 8, SEEK_CUR);
} while((uint32_t)vers <= server_context->log_context.version);
/*
* Read up rest of the entires into the memory...
*/
left = krb5_storage_seek (sp, -16, SEEK_CUR);
right = krb5_storage_seek (sp, 0, SEEK_END);
buf = malloc (right - left);
if (buf == NULL && (right - left) != 0)
krb5_errx (context, 1, "malloc: no memory");
/*
* ...and then write them out to the on-disk log.
*/
krb5_storage_seek (sp, left, SEEK_SET);
krb5_storage_read (sp, buf, right - left);
sret = write (server_context->log_context.log_fd, buf, right-left);
if (sret != right - left)
krb5_err(context, 1, errno, "Failed to write log to disk");
ret = fsync (server_context->log_context.log_fd);
if (ret)
krb5_err(context, 1, errno, "Failed to sync log to disk");
free (buf);
/*
* Go back to the startpoint and start to commit the entires to
* the database.
*/
krb5_storage_seek (sp, left, SEEK_SET);
for(;;) {
int32_t len, len2, timestamp, tmp;
off_t cur, cur2;
enum kadm_ops op;
if(krb5_ret_int32 (sp, &vers) != 0)
break;
ret = krb5_ret_int32 (sp, ×tamp);
if (ret) krb5_errx(context, 1, "entry %ld: too short", (long)vers);
ret = krb5_ret_int32 (sp, &tmp);
if (ret) krb5_errx(context, 1, "entry %ld: too short", (long)vers);
op = tmp;
ret = krb5_ret_int32 (sp, &len);
if (ret) krb5_errx(context, 1, "entry %ld: too short", (long)vers);
if (len < 0)
krb5_errx(context, 1, "log is corrupted, "
"negative length of entry version %ld: %ld",
(long)vers, (long)len);
cur = krb5_storage_seek(sp, 0, SEEK_CUR);
krb5_warnx (context, "replaying entry %d", (int)vers);
ret = kadm5_log_replay (server_context,
op, vers, len, sp);
if (ret) {
const char *s = krb5_get_error_message(server_context->context, ret);
krb5_warnx (context,
"kadm5_log_replay: %ld. Lost entry entry, "
"Database out of sync ?: %s (%d)",
(long)vers, s ? s : "unknown error", ret);
krb5_free_error_message(context, s);
}
{
/*
* Make sure the krb5_log_replay does the right thing wrt
* reading out data from the sp.
*/
cur2 = krb5_storage_seek(sp, 0, SEEK_CUR);
if (cur + len != cur2)
krb5_errx(context, 1,
"kadm5_log_reply version: %ld didn't read the whole entry",
(long)vers);
}
if (krb5_ret_int32 (sp, &len2) != 0)
krb5_errx(context, 1, "entry %ld: postamble too short", (long)vers);
if(krb5_ret_int32 (sp, &vers2) != 0)
krb5_errx(context, 1, "entry %ld: postamble too short", (long)vers);
if (len != len2)
krb5_errx(context, 1, "entry %ld: len != len2", (long)vers);
if (vers != vers2)
krb5_errx(context, 1, "entry %ld: vers != vers2", (long)vers);
}
/*
* Update version
*/
server_context->log_context.version = vers;
}
static void
test_memory_keytab(krb5_context context, const char *keytab, const char *keytab2)
{
krb5_error_code ret;
krb5_keytab id, id2, id3;
krb5_keytab_entry entry, entry2, entry3;
ret = krb5_kt_resolve(context, keytab, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_resolve");
memset(&entry, 0, sizeof(entry));
ret = krb5_parse_name(context, "*****@*****.**", &entry.principal);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
entry.vno = 1;
ret = krb5_generate_random_keyblock(context,
ETYPE_AES256_CTS_HMAC_SHA1_96,
&entry.keyblock);
if (ret)
krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
krb5_kt_add_entry(context, id, &entry);
ret = krb5_kt_resolve(context, keytab, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_resolve");
ret = krb5_kt_get_entry(context, id,
entry.principal,
0,
ETYPE_AES256_CTS_HMAC_SHA1_96,
&entry2);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_get_entry");
krb5_kt_free_entry(context, &entry2);
ret = krb5_kt_close(context, id);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_close");
ret = krb5_kt_get_entry(context, id2,
entry.principal,
0,
ETYPE_AES256_CTS_HMAC_SHA1_96,
&entry2);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_get_entry");
krb5_kt_free_entry(context, &entry2);
ret = krb5_kt_close(context, id2);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_close");
ret = krb5_kt_resolve(context, keytab2, &id3);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_resolve");
memset(&entry3, 0, sizeof(entry3));
ret = krb5_parse_name(context, "*****@*****.**", &entry3.principal);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
entry3.vno = 1;
ret = krb5_generate_random_keyblock(context,
ETYPE_AES256_CTS_HMAC_SHA1_96,
&entry3.keyblock);
if (ret)
krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
krb5_kt_add_entry(context, id3, &entry3);
ret = krb5_kt_resolve(context, keytab, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_resolve");
ret = krb5_kt_get_entry(context, id,
entry.principal,
0,
ETYPE_AES256_CTS_HMAC_SHA1_96,
&entry2);
if (ret == 0)
krb5_errx(context, 1, "krb5_kt_get_entry when if should fail");
krb5_kt_remove_entry(context, id, &entry);
ret = krb5_kt_close(context, id);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_close");
krb5_kt_free_entry(context, &entry);
krb5_kt_remove_entry(context, id3, &entry3);
ret = krb5_kt_close(context, id3);
if (ret)
krb5_err(context, 1, ret, "krb5_kt_close");
krb5_free_principal(context, entry3.principal);
krb5_free_keyblock_contents(context, &entry3.keyblock);
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_auth_context auth_context;
void *kadm_handle;
kadm5_server_context *server_context;
kadm5_config_params conf;
int master_fd;
krb5_ccache ccache;
krb5_principal server;
char **files;
int optidx = 0;
time_t reconnect_min;
time_t backoff;
time_t reconnect_max;
time_t reconnect;
time_t before = 0;
const char *master;
setprogname(argv[0]);
if(getarg(args, num_args, argc, argv, &optidx))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
ret = krb5_init_context(&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
setup_signal();
if (config_file == NULL) {
if (asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)) == -1
|| config_file == NULL)
errx(1, "out of memory");
}
ret = krb5_prepend_config_files_default(config_file, &files);
if (ret)
krb5_err(context, 1, ret, "getting configuration files");
ret = krb5_set_config_files(context, files);
krb5_free_config_files(files);
if (ret)
krb5_err(context, 1, ret, "reading configuration files");
argc -= optidx;
argv += optidx;
if (argc != 1)
usage(1);
master = argv[0];
if (status_file == NULL) {
if (asprintf(&status_file, "%s/ipropd-slave-status", hdb_db_dir(context)) < 0 || status_file == NULL)
krb5_errx(context, 1, "can't allocate status file buffer");
}
#ifdef SUPPORT_DETACH
if (detach_from_console){
int aret = daemon(0, 0);
if (aret == -1) {
/* not much to do if detaching fails... */
krb5_err(context, 1, aret, "failed to daemon(3)ise");
}
}
#endif
pidfile (NULL);
krb5_openlog (context, "ipropd-slave", &log_facility);
krb5_set_warn_dest(context, log_facility);
slave_status(context, status_file, "bootstrapping");
ret = krb5_kt_register(context, &hdb_kt_ops);
if(ret)
krb5_err(context, 1, ret, "krb5_kt_register");
time_before_lost = parse_time (server_time_lost, "s");
if (time_before_lost < 0)
krb5_errx (context, 1, "couldn't parse time: %s", server_time_lost);
slave_status(context, status_file, "getting credentials from keytab/database");
memset(&conf, 0, sizeof(conf));
if(realm) {
conf.mask |= KADM5_CONFIG_REALM;
conf.realm = realm;
}
ret = kadm5_init_with_password_ctx (context,
KADM5_ADMIN_SERVICE,
NULL,
KADM5_ADMIN_SERVICE,
&conf, 0, 0,
&kadm_handle);
if (ret)
krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
server_context = (kadm5_server_context *)kadm_handle;
slave_status(context, status_file, "creating log file");
ret = kadm5_log_init (server_context);
if (ret)
krb5_err (context, 1, ret, "kadm5_log_init");
get_creds(context, keytab_str, &ccache, master);
ret = krb5_sname_to_principal (context, master, IPROP_NAME,
KRB5_NT_SRV_HST, &server);
if (ret)
krb5_err (context, 1, ret, "krb5_sname_to_principal");
auth_context = NULL;
master_fd = -1;
krb5_appdefault_time(context, config_name, NULL, "reconnect-min",
10, &reconnect_min);
krb5_appdefault_time(context, config_name, NULL, "reconnect-max",
300, &reconnect_max);
krb5_appdefault_time(context, config_name, NULL, "reconnect-backoff",
10, &backoff);
reconnect = reconnect_min;
slave_status(context, status_file, "ipropd-slave started");
while (!exit_flag) {
time_t now, elapsed;
int connected = FALSE;
now = time(NULL);
elapsed = now - before;
if (elapsed < reconnect) {
time_t left = reconnect - elapsed;
krb5_warnx(context, "sleeping %d seconds before "
"retrying to connect", (int)left);
sleep(left);
}
before = now;
slave_status(context, status_file, "connecting to master: %s\n", master);
master_fd = connect_to_master (context, master, port_str);
if (master_fd < 0)
goto retry;
reconnect = reconnect_min;
if (auth_context) {
krb5_auth_con_free(context, auth_context);
auth_context = NULL;
krb5_cc_destroy(context, ccache);
get_creds(context, keytab_str, &ccache, master);
}
ret = krb5_sendauth (context, &auth_context, &master_fd,
IPROP_VERSION, NULL, server,
AP_OPTS_MUTUAL_REQUIRED, NULL, NULL,
ccache, NULL, NULL, NULL);
if (ret) {
krb5_warn (context, ret, "krb5_sendauth");
goto retry;
}
krb5_warnx(context, "ipropd-slave started at version: %ld",
(long)server_context->log_context.version);
ret = ihave (context, auth_context, master_fd,
server_context->log_context.version);
if (ret)
goto retry;
connected = TRUE;
slave_status(context, status_file, "connected to master, waiting instructions");
while (connected && !exit_flag) {
krb5_data out;
krb5_storage *sp;
int32_t tmp;
fd_set readset;
struct timeval to;
#ifndef NO_LIMIT_FD_SETSIZE
if (master_fd >= FD_SETSIZE)
krb5_errx (context, 1, "fd too large");
#endif
FD_ZERO(&readset);
FD_SET(master_fd, &readset);
to.tv_sec = time_before_lost;
to.tv_usec = 0;
ret = select (master_fd + 1,
&readset, NULL, NULL, &to);
if (ret < 0) {
if (errno == EINTR)
continue;
else
krb5_err (context, 1, errno, "select");
}
if (ret == 0)
krb5_errx (context, 1, "server didn't send a message "
"in %d seconds", time_before_lost);
ret = krb5_read_priv_message(context, auth_context, &master_fd, &out);
if (ret) {
krb5_warn (context, ret, "krb5_read_priv_message");
connected = FALSE;
continue;
}
sp = krb5_storage_from_mem (out.data, out.length);
krb5_ret_int32 (sp, &tmp);
switch (tmp) {
case FOR_YOU :
receive (context, sp, server_context);
ret = ihave (context, auth_context, master_fd,
server_context->log_context.version);
if (ret) {
connected = FALSE;
} else {
is_up_to_date(context, status_file, server_context);
}
break;
case TELL_YOU_EVERYTHING :
ret = receive_everything (context, master_fd, server_context,
auth_context);
if (ret)
connected = FALSE;
else
is_up_to_date(context, status_file, server_context);
break;
case ARE_YOU_THERE :
is_up_to_date(context, status_file, server_context);
send_im_here (context, master_fd, auth_context);
break;
case YOU_HAVE_LAST_VERSION:
is_up_to_date(context, status_file, server_context);
break;
case NOW_YOU_HAVE :
case I_HAVE :
case ONE_PRINC :
case I_AM_HERE :
default :
krb5_warnx (context, "Ignoring command %d", tmp);
break;
}
krb5_storage_free (sp);
krb5_data_free (&out);
}
slave_status(context, status_file, "disconnected from master");
retry:
if (connected == FALSE)
krb5_warnx (context, "disconnected for server");
if (exit_flag)
krb5_warnx (context, "got an exit signal");
if (master_fd >= 0)
close(master_fd);
reconnect += backoff;
if (reconnect > reconnect_max) {
slave_status(context, status_file, "disconnected from master for a long time");
reconnect = reconnect_max;
}
}
if (status_file)
unlink(status_file);
if (0);
#ifndef NO_SIGXCPU
else if(exit_flag == SIGXCPU)
krb5_warnx(context, "%s CPU time limit exceeded", getprogname());
#endif
else if(exit_flag == SIGINT || exit_flag == SIGTERM)
krb5_warnx(context, "%s terminated", getprogname());
else
krb5_warnx(context, "%s unexpected exit reason: %ld",
getprogname(), (long)exit_flag);
return 0;
}
int
main(int argc, char **argv)
{
krb5_context context;
krb5_principal princ;
krb5_salt salt;
int optidx;
char buf[1024];
krb5_enctype etype;
krb5_error_code ret;
optidx = krb5_program_setup(&context, argc, argv, args, num_args, NULL);
if(help)
usage(0);
if(version){
print_version (NULL);
return 0;
}
argc -= optidx;
argv += optidx;
if (argc > 1)
usage(1);
if(!version5 && !version4 && !afs)
version5 = 1;
ret = krb5_string_to_enctype(context, keytype_str, &etype);
if(ret)
krb5_err(context, 1, ret, "krb5_string_to_enctype");
if((etype != ETYPE_DES_CBC_CRC &&
etype != ETYPE_DES_CBC_MD4 &&
etype != ETYPE_DES_CBC_MD5) &&
(afs || version4)) {
if(!version5) {
etype = ETYPE_DES_CBC_CRC;
} else {
krb5_errx(context, 1,
"DES is the only valid keytype for AFS and Kerberos 4");
}
}
if(version5 && principal == NULL){
printf("Kerberos v5 principal: ");
if(fgets(buf, sizeof(buf), stdin) == NULL)
return 1;
buf[strcspn(buf, "\r\n")] = '\0';
principal = estrdup(buf);
}
if(afs && cell == NULL){
printf("AFS cell: ");
if(fgets(buf, sizeof(buf), stdin) == NULL)
return 1;
buf[strcspn(buf, "\r\n")] = '\0';
cell = estrdup(buf);
}
if(argv[0])
password = argv[0];
if(password == NULL){
if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: "******"Kerberos 5 (%s)");
krb5_free_salt(context, salt);
}
if(version4){
salt.salttype = KRB5_PW_SALT;
salt.saltvalue.length = 0;
salt.saltvalue.data = NULL;
tokey(context, ETYPE_DES_CBC_MD5, password, salt, "Kerberos 4");
}
if(afs){
salt.salttype = KRB5_AFS3_SALT;
salt.saltvalue.length = strlen(cell);
salt.saltvalue.data = cell;
tokey(context, ETYPE_DES_CBC_MD5, password, salt, "AFS");
}
return 0;
}
