/* Sets conn->state to READING when done. */
static krb5_boolean
service_tcp_write(krb5_context context, const krb5_data *realm,
struct conn_state *conn, struct select_state *selstate)
{
ssize_t nwritten;
SOCKET_WRITEV_TEMP tmp;
TRACE_SENDTO_KDC_TCP_SEND(context, &conn->addr);
nwritten = SOCKET_WRITEV(conn->fd, conn->out.sgp, conn->out.sg_count, tmp);
if (nwritten < 0) {
TRACE_SENDTO_KDC_TCP_ERROR_SEND(context, &conn->addr, SOCKET_ERRNO);
kill_conn(context, conn, selstate);
return FALSE;
}
while (nwritten) {
sg_buf *sgp = conn->out.sgp;
if ((size_t)nwritten < SG_LEN(sgp)) {
SG_ADVANCE(sgp, (size_t)nwritten);
nwritten = 0;
} else {
nwritten -= SG_LEN(sgp);
conn->out.sgp++;
conn->out.sg_count--;
}
}
if (conn->out.sg_count == 0) {
/* Done writing, switch to reading. */
cm_read(selstate, conn->fd);
conn->state = READING;
}
return FALSE;
}
int
krb5int_net_writev(krb5_context context, int fd, sg_buf *sgp, int nsg)
{
int cc, len = 0;
SOCKET_WRITEV_TEMP tmp;
while (nsg > 0) {
/* Skip any empty data blocks. */
if (SG_LEN(sgp) == 0) {
sgp++, nsg--;
continue;
}
cc = SOCKET_WRITEV((SOCKET)fd, sgp, nsg, tmp);
if (cc < 0) {
if (SOCKET_ERRNO == SOCKET_EINTR)
continue;
/* XXX this interface sucks! */
errno = SOCKET_ERRNO;
return -1;
}
len += cc;
while (cc > 0) {
if ((unsigned)cc < SG_LEN(sgp)) {
SG_ADVANCE(sgp, (unsigned)cc);
cc = 0;
} else {
cc -= SG_LEN(sgp);
sgp++, nsg--;
assert(nsg > 0 || cc == 0);
}
}
}
return len;
}
/* Set conn->state to READING when done; otherwise, call a cm_set_. */
static krb5_boolean
service_https_write(krb5_context context, const krb5_data *realm,
struct conn_state *conn, struct select_state *selstate)
{
k5_tls_status st;
/* If this is our first time in here, set up the SSL context. */
if (conn->http.tls == NULL && !setup_tls(context, realm, conn, selstate)) {
kill_conn(context, conn, selstate);
return FALSE;
}
/* Try to transmit our request to the server. */
st = context->tls->write(context, conn->http.tls, SG_BUF(conn->out.sgp),
SG_LEN(conn->out.sgbuf));
if (st == DONE) {
TRACE_SENDTO_KDC_HTTPS_SEND(context, &conn->addr);
cm_read(selstate, conn->fd);
conn->state = READING;
} else if (st == WANT_READ) {
cm_read(selstate, conn->fd);
} else if (st == WANT_WRITE) {
cm_write(selstate, conn->fd);
} else if (st == ERROR_TLS) {
TRACE_SENDTO_KDC_HTTPS_ERROR_SEND(context, &conn->addr);
kill_conn(context, conn, selstate);
}
return FALSE;
}
/* Return 0 if we sent something, non-0 otherwise.
If 0 is returned, the caller should delay waiting for a response.
Otherwise, the caller should immediately move on to process the
next connection. */
static int
maybe_send(krb5_context context, struct conn_state *conn,
struct select_state *selstate,
struct sendto_callback_info *callback_info)
{
sg_buf *sg;
ssize_t ret;
dprint("maybe_send(@%p) state=%s type=%s\n", conn,
state_strings[conn->state],
conn->is_udp ? "udp" : "tcp");
if (conn->state == INITIALIZING)
return start_connection(context, conn, selstate, callback_info);
/* Did we already shut down this channel? */
if (conn->state == FAILED) {
dprint("connection already closed\n");
return -1;
}
if (conn->socktype == SOCK_STREAM) {
dprint("skipping stream socket\n");
/* The select callback will handle flushing any data we
haven't written yet, and we only write it once. */
return -1;
}
/* UDP - retransmit after a previous attempt timed out. */
sg = &conn->x.out.sgbuf[0];
TRACE_SENDTO_KDC_UDP_SEND_RETRY(context, conn);
dprint("sending %d bytes on fd %d\n", SG_LEN(sg), conn->fd);
ret = send(conn->fd, SG_BUF(sg), SG_LEN(sg), 0);
if (ret < 0 || (size_t) ret != SG_LEN(sg)) {
TRACE_SENDTO_KDC_UDP_ERROR_SEND_RETRY(context, conn, SOCKET_ERRNO);
dperror("send");
/* Keep connection alive, we'll try again next pass.
Is this likely to catch any errors we didn't get from the
select callbacks? */
return -1;
}
/* Yay, it worked. */
return 0;
}
/* Return 0 if we sent something, non-0 otherwise.
If 0 is returned, the caller should delay waiting for a response.
Otherwise, the caller should immediately move on to process the
next connection. */
static int
maybe_send(krb5_context context, struct conn_state *conn,
const krb5_data *message, struct select_state *selstate,
const krb5_data *realm,
struct sendto_callback_info *callback_info)
{
sg_buf *sg;
ssize_t ret;
if (conn->state == INITIALIZING) {
return start_connection(context, conn, message, selstate,
realm, callback_info);
}
/* Did we already shut down this channel? */
if (conn->state == FAILED) {
return -1;
}
if (conn->addr.transport != UDP) {
/* The select callback will handle flushing any data we
haven't written yet, and we only write it once. */
return -1;
}
/* UDP - retransmit after a previous attempt timed out. */
sg = &conn->out.sgbuf[0];
TRACE_SENDTO_KDC_UDP_SEND_RETRY(context, &conn->addr);
ret = send(conn->fd, SG_BUF(sg), SG_LEN(sg), 0);
if (ret < 0 || (size_t) ret != SG_LEN(sg)) {
TRACE_SENDTO_KDC_UDP_ERROR_SEND_RETRY(context, &conn->addr,
SOCKET_ERRNO);
/* Keep connection alive, we'll try again next pass.
Is this likely to catch any errors we didn't get from the
select callbacks? */
return -1;
}
/* Yay, it worked. */
return 0;
}
static int
start_connection(krb5_context context, struct conn_state *state,
const krb5_data *message, struct select_state *selstate,
const krb5_data *realm,
struct sendto_callback_info *callback_info)
{
int fd, e, type;
static const int one = 1;
static const struct linger lopt = { 0, 0 };
type = socktype_for_transport(state->addr.transport);
fd = socket(state->addr.family, type, 0);
if (fd == INVALID_SOCKET)
return -1; /* try other hosts */
set_cloexec_fd(fd);
/* Make it non-blocking. */
ioctlsocket(fd, FIONBIO, (const void *) &one);
if (state->addr.transport == TCP) {
setsockopt(fd, SOL_SOCKET, SO_LINGER, &lopt, sizeof(lopt));
TRACE_SENDTO_KDC_TCP_CONNECT(context, &state->addr);
}
/* Start connecting to KDC. */
e = connect(fd, (struct sockaddr *)&state->addr.saddr, state->addr.len);
if (e != 0) {
/*
* This is the path that should be followed for non-blocking
* connections.
*/
if (SOCKET_ERRNO == EINPROGRESS || SOCKET_ERRNO == EWOULDBLOCK) {
state->state = CONNECTING;
state->fd = fd;
} else {
(void) closesocket(fd);
state->state = FAILED;
return -2;
}
} else {
/*
* Connect returned zero even though we made it non-blocking. This
* happens normally for UDP sockets, and can perhaps also happen for
* TCP sockets connecting to localhost.
*/
state->state = WRITING;
state->fd = fd;
}
/*
* Here's where KPASSWD callback gets the socket information it needs for
* a kpasswd request
*/
if (callback_info) {
e = callback_info->pfn_callback(state->fd, callback_info->data,
&state->callback_buffer);
if (e != 0) {
(void) closesocket(fd);
state->fd = INVALID_SOCKET;
state->state = FAILED;
return -3;
}
message = &state->callback_buffer;
}
e = set_transport_message(state, realm, message);
if (e != 0) {
TRACE_SENDTO_KDC_ERROR_SET_MESSAGE(context, &state->addr, e);
(void) closesocket(state->fd);
state->fd = INVALID_SOCKET;
state->state = FAILED;
return -4;
}
if (state->addr.transport == UDP) {
/* Send it now. */
ssize_t ret;
sg_buf *sg = &state->out.sgbuf[0];
TRACE_SENDTO_KDC_UDP_SEND_INITIAL(context, &state->addr);
ret = send(state->fd, SG_BUF(sg), SG_LEN(sg), 0);
if (ret < 0 || (size_t) ret != SG_LEN(sg)) {
TRACE_SENDTO_KDC_UDP_ERROR_SEND_INITIAL(context, &state->addr,
SOCKET_ERRNO);
(void) closesocket(state->fd);
state->fd = INVALID_SOCKET;
state->state = FAILED;
return -5;
} else {
state->state = READING;
}
}
if (!cm_add_fd(selstate, state->fd)) {
(void) closesocket(state->fd);
state->fd = INVALID_SOCKET;
state->state = FAILED;
return -1;
}
if (state->state == CONNECTING || state->state == WRITING)
cm_write(selstate, state->fd);
else
cm_read(selstate, state->fd);
return 0;
}
static int
service_tcp_fd(krb5_context context, struct conn_state *conn,
struct select_state *selstate, int ssflags)
{
int e = 0;
ssize_t nwritten, nread;
if (!(ssflags & (SSF_READ|SSF_WRITE|SSF_EXCEPTION)))
abort();
switch (conn->state) {
SOCKET_WRITEV_TEMP tmp;
case CONNECTING:
if (ssflags & SSF_READ) {
/* Bad -- the KDC shouldn't be sending to us first. */
e = EINVAL /* ?? */;
kill_conn:
TRACE_SENDTO_KDC_TCP_DISCONNECT(context, conn);
kill_conn(conn, selstate, e);
if (e == EINVAL) {
closesocket(conn->fd);
conn->fd = INVALID_SOCKET;
}
return e == 0;
}
if (ssflags & SSF_EXCEPTION) {
handle_exception:
e = get_so_error(conn->fd);
if (e)
dprint("socket error on exception fd: %m", e);
else
dprint("no socket error info available on exception fd");
goto kill_conn;
}
/*
* Connect finished -- but did it succeed or fail?
* UNIX sets can_write if failed.
* Call getsockopt to see if error pending.
*
* (For most UNIX systems it works to just try writing the
* first time and detect an error. But Bill Dodd at IBM
* reports that some version of AIX, SIGPIPE can result.)
*/
e = get_so_error(conn->fd);
if (e) {
TRACE_SENDTO_KDC_TCP_ERROR_CONNECT(context, conn, e);
dprint("socket error on write fd: %m", e);
goto kill_conn;
}
conn->state = WRITING;
goto try_writing;
case WRITING:
if (ssflags & SSF_READ) {
e = E2BIG;
/* Bad -- the KDC shouldn't be sending anything yet. */
goto kill_conn;
}
if (ssflags & SSF_EXCEPTION)
goto handle_exception;
try_writing:
dprint("trying to writev %d (%d bytes) to fd %d\n",
conn->x.out.sg_count,
((conn->x.out.sg_count == 2 ? SG_LEN(&conn->x.out.sgp[1]) : 0)
+ SG_LEN(&conn->x.out.sgp[0])),
conn->fd);
TRACE_SENDTO_KDC_TCP_SEND(context, conn);
nwritten = SOCKET_WRITEV(conn->fd, conn->x.out.sgp,
conn->x.out.sg_count, tmp);
if (nwritten < 0) {
e = SOCKET_ERRNO;
TRACE_SENDTO_KDC_TCP_ERROR_SEND(context, conn, e);
dprint("failed: %m\n", e);
goto kill_conn;
}
dprint("wrote %d bytes\n", nwritten);
while (nwritten) {
sg_buf *sgp = conn->x.out.sgp;
if ((size_t) nwritten < SG_LEN(sgp)) {
SG_ADVANCE(sgp, (size_t) nwritten);
nwritten = 0;
} else {
nwritten -= SG_LEN(sgp);
conn->x.out.sgp++;
conn->x.out.sg_count--;
if (conn->x.out.sg_count == 0 && nwritten != 0)
/* Wrote more than we wanted to? */
abort();
}
}
if (conn->x.out.sg_count == 0) {
/* Done writing, switch to reading. */
/* Don't call shutdown at this point because
* some implementations cannot deal with half-closed connections.*/
FD_CLR(conn->fd, &selstate->wfds);
/* Q: How do we detect failures to send the remaining data
to the remote side, since we're in non-blocking mode?
Will we always get errors on the reading side? */
dprint("switching fd %d to READING\n", conn->fd);
conn->state = READING;
conn->x.in.bufsizebytes_read = 0;
conn->x.in.bufsize = 0;
conn->x.in.buf = 0;
conn->x.in.pos = 0;
conn->x.in.n_left = 0;
}
return 0;
case READING:
if (ssflags & SSF_EXCEPTION) {
if (conn->x.in.buf) {
free(conn->x.in.buf);
conn->x.in.buf = 0;
}
goto handle_exception;
}
if (conn->x.in.bufsizebytes_read == 4) {
/* Reading data. */
dprint("reading %d bytes of data from fd %d\n",
(int) conn->x.in.n_left, conn->fd);
nread = SOCKET_READ(conn->fd, conn->x.in.pos, conn->x.in.n_left);
if (nread <= 0) {
e = nread ? SOCKET_ERRNO : ECONNRESET;
free(conn->x.in.buf);
conn->x.in.buf = 0;
TRACE_SENDTO_KDC_TCP_ERROR_RECV(context, conn, e);
goto kill_conn;
}
conn->x.in.n_left -= nread;
conn->x.in.pos += nread;
if (conn->x.in.n_left <= 0) {
/* We win! */
return 1;
}
} else {
/* Reading length. */
nread = SOCKET_READ(conn->fd,
conn->x.in.bufsizebytes + conn->x.in.bufsizebytes_read,
4 - conn->x.in.bufsizebytes_read);
if (nread < 0) {
TRACE_SENDTO_KDC_TCP_ERROR_RECV_LEN(context, conn, e);
e = SOCKET_ERRNO;
goto kill_conn;
}
conn->x.in.bufsizebytes_read += nread;
if (conn->x.in.bufsizebytes_read == 4) {
unsigned long len = load_32_be (conn->x.in.bufsizebytes);
dprint("received length on fd %d is %d\n", conn->fd, (int)len);
/* Arbitrary 1M cap. */
if (len > 1 * 1024 * 1024) {
e = E2BIG;
goto kill_conn;
}
conn->x.in.bufsize = conn->x.in.n_left = len;
conn->x.in.buf = conn->x.in.pos = malloc(len);
dprint("allocated %d byte buffer at %p\n", (int) len,
conn->x.in.buf);
if (conn->x.in.buf == 0) {
/* allocation failure */
e = ENOMEM;
goto kill_conn;
}
}
}
break;
default:
abort();
}
return 0;
}
static int
start_connection(krb5_context context, struct conn_state *state,
struct select_state *selstate,
struct sendto_callback_info *callback_info)
{
int fd, e;
dprint("start_connection(@%p)\ngetting %s socket in family %d...", state,
state->socktype == SOCK_STREAM ? "stream" : "dgram", state->family);
fd = socket(state->family, state->socktype, 0);
if (fd == INVALID_SOCKET) {
state->err = SOCKET_ERRNO;
dprint("socket: %m creating with af %d\n", state->err, state->family);
return -1; /* try other hosts */
}
#ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */
if (fd >= FD_SETSIZE) {
closesocket(fd);
state->err = EMFILE;
dprint("socket: fd %d too high\n", fd);
return -1;
}
#endif
set_cloexec_fd(fd);
/* Make it non-blocking. */
if (state->socktype == SOCK_STREAM) {
static const int one = 1;
static const struct linger lopt = { 0, 0 };
if (ioctlsocket(fd, FIONBIO, (const void *) &one))
dperror("sendto_kdc: ioctl(FIONBIO)");
if (setsockopt(fd, SOL_SOCKET, SO_LINGER, &lopt, sizeof(lopt)))
dperror("sendto_kdc: setsockopt(SO_LINGER)");
TRACE_SENDTO_KDC_TCP_CONNECT(context, state);
}
/* Start connecting to KDC. */
e = connect(fd, (struct sockaddr *)&state->addr, state->addrlen);
if (e != 0) {
/*
* This is the path that should be followed for non-blocking
* connections.
*/
if (SOCKET_ERRNO == EINPROGRESS || SOCKET_ERRNO == EWOULDBLOCK) {
state->state = CONNECTING;
state->fd = fd;
} else {
dprint("connect failed: %m\n", SOCKET_ERRNO);
(void) closesocket(fd);
state->err = SOCKET_ERRNO;
state->state = FAILED;
return -2;
}
} else {
/*
* Connect returned zero even though we made it non-blocking. This
* happens normally for UDP sockets, and can perhaps also happen for
* TCP sockets connecting to localhost.
*/
state->state = WRITING;
state->fd = fd;
}
dprint("new state = %s\n", state_strings[state->state]);
/*
* Here's where KPASSWD callback gets the socket information it needs for
* a kpasswd request
*/
if (callback_info) {
e = callback_info->pfn_callback(state, callback_info->context,
&state->callback_buffer);
if (e != 0) {
dprint("callback failed: %m\n", e);
(void) closesocket(fd);
state->err = e;
state->fd = INVALID_SOCKET;
state->state = FAILED;
return -3;
}
set_conn_state_msg_length(state, &state->callback_buffer);
}
if (state->socktype == SOCK_DGRAM) {
/* Send it now. */
ssize_t ret;
sg_buf *sg = &state->x.out.sgbuf[0];
TRACE_SENDTO_KDC_UDP_SEND_INITIAL(context, state);
dprint("sending %d bytes on fd %d\n", SG_LEN(sg), state->fd);
ret = send(state->fd, SG_BUF(sg), SG_LEN(sg), 0);
if (ret < 0 || (size_t) ret != SG_LEN(sg)) {
TRACE_SENDTO_KDC_UDP_ERROR_SEND_INITIAL(context, state,
SOCKET_ERRNO);
dperror("sendto");
(void) closesocket(state->fd);
state->fd = INVALID_SOCKET;
state->state = FAILED;
return -4;
} else {
state->state = READING;
}
}
FD_SET(state->fd, &selstate->rfds);
if (state->state == CONNECTING || state->state == WRITING)
FD_SET(state->fd, &selstate->wfds);
FD_SET(state->fd, &selstate->xfds);
if (selstate->max <= state->fd)
selstate->max = state->fd + 1;
selstate->nfds++;
dprint("new select vectors: %F\n",
&selstate->rfds, &selstate->wfds, &selstate->xfds, selstate->max);
return 0;
}
