/* * Copyright (c) 1995, 1996, 1997, 1998 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "slav_locl.h" #include "kprop.h" RCSID("$Id: kpropd.c,v 2.32 1999/12/02 16:58:56 joda Exp $"); #ifndef SBINDIR #define SBINDIR "/usr/athena/sbin" #endif struct sockaddr_in master, slave; char *database = DBM_FILE; char *lockfile = DB_DIR "/slave_propagation"; char *logfile = K_LOGFIL; char *kdb_util = SBINDIR "/kdb_util"; char *kdb_util_command = "load"; char *srvtab = ""; char realm[REALM_SZ]; static int copy_data(int from, int to, des_cblock *session, des_key_schedule schedule) { unsigned char tmp[4]; char buf[KPROP_BUFSIZ + 26]; u_int32_t length; int n; int kerr; MSG_DAT m; while(1){ n = krb_net_read(from, tmp, 4); if(n == 0) break; if(n < 0){ klog(L_KRB_PERR, "krb_net_read: %s", strerror(errno)); return -1; } if(n != 4){ klog(L_KRB_PERR, "Premature end of data"); return -1; } length = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3]; if(length > sizeof(buf)){ klog(L_KRB_PERR, "Giant packet received: %d", length); return -1; } if(krb_net_read(from, buf, length) != length){ klog(L_KRB_PERR, "Premature end of data"); return -1; } kerr = krb_rd_priv (buf, length, schedule, session, &master, &slave, &m); if(kerr != KSUCCESS){ klog(L_KRB_PERR, "Kerberos error: %s", krb_get_err_text(kerr)); return -1; } write(to, m.app_data, m.app_length); } return 0; } static int kprop(int s) { char buf[128]; int n; KTEXT_ST ticket; AUTH_DAT ad; char sinst[INST_SZ]; des_key_schedule schedule; int mode; int kerr; int lock; n = sizeof(master); if(getpeername(s, (struct sockaddr*)&master, &n) < 0){ klog(L_KRB_PERR, "getpeername: %s", strerror(errno)); return 1; } n = sizeof(slave); if(getsockname(s, (struct sockaddr*)&slave, &n) < 0){ klog(L_KRB_PERR, "getsockname: %s", strerror(errno)); return 1; } klog(L_KRB_PERR, "Connection from %s", inet_ntoa(master.sin_addr)); n = krb_net_read(s, buf, KPROP_PROT_VERSION_LEN + 2); if(n < KPROP_PROT_VERSION_LEN + 2){ klog(L_KRB_PERR, "Premature end of data"); return 1; } if(memcmp(buf, KPROP_PROT_VERSION, KPROP_PROT_VERSION_LEN) != 0){ klog(L_KRB_PERR, "Bad protocol version string received"); return 1; } mode = (buf[n-2] << 8) | buf[n-1]; if(mode != KPROP_TRANSFER_PRIVATE){ klog(L_KRB_PERR, "Bad transfer mode received: %d", mode); return 1; } k_getsockinst(s, sinst, sizeof(sinst)); kerr = krb_recvauth(KOPT_DO_MUTUAL, s, &ticket, KPROP_SERVICE_NAME, sinst, &master, &slave, &ad, srvtab, schedule, buf); if(kerr != KSUCCESS){ klog(L_KRB_PERR, "Kerberos error: %s", krb_get_err_text(kerr)); return 1; } if(strcmp(ad.pname, KPROP_SERVICE_NAME) || #if 0 strcmp(ad.pinst, /* XXX remote host */) || #else strcmp(ad.pinst, KRB_MASTER) || #endif strcmp(ad.prealm, realm)){ klog(L_KRB_PERR, "Connection from unauthorized client: %s", krb_unparse_name_long(ad.pname, ad.pinst, ad.prealm)); return 1; } des_set_key(&ad.session, schedule); lock = open(lockfile, O_WRONLY|O_CREAT, 0600); if(lock < 0){ klog(L_KRB_PERR, "Failed to open file: %s", strerror(errno)); return 1; } if(flock(lock, LOCK_EX | LOCK_NB)){ close(lock); klog(L_KRB_PERR, "Failed to lock file: %s", strerror(errno)); return 1; } if(ftruncate(lock, 0) < 0){ close(lock); klog(L_KRB_PERR, "Failed to lock file: %s", strerror(errno)); return 1; } if(copy_data(s, lock, &ad.session, schedule)){ close(lock); return 1; } close(lock); if(simple_execlp(kdb_util, "kdb_util", kdb_util_command, lockfile, database, NULL) != 0) { klog(L_KRB_PERR, "*** Propagation failed ***"); return 1; }else{ klog(L_KRB_PERR, "Propagation finished successfully"); return 0; } } static int doit(void) { return kprop(0); } static int doit_interactive(void) { struct sockaddr_in sa; int salen; int s, s2; int ret; s = socket(AF_INET, SOCK_STREAM, 0); if(s < 0){ klog(L_KRB_PERR, "socket: %s", strerror(errno)); return 1; } memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_port = k_getportbyname ("krb_prop", "tcp", htons(KPROP_PORT)); ret = bind(s, (struct sockaddr*)&sa, sizeof(sa)); if (ret < 0) { klog(L_KRB_PERR, "bind: %s", strerror(errno)); return 1; } ret = listen(s, SOMAXCONN); if (ret < 0) { klog(L_KRB_PERR, "listen: %s", strerror(errno)); return 1; } for(;;) { salen = sizeof(sa); s2 = accept(s, (struct sockaddr*)&sa, &salen); switch(fork()){ case -1: klog(L_KRB_PERR, "fork: %s", strerror(errno)); return 1; case 0: close(s); kprop(s2); return 1; default: { int status; close(s2); wait(&status); } } } } static void usage (void) { fprintf (stderr, "Usage: kpropd [-i] [-d database] [-l log] [-m] [-[p|P] program]" " [-r realm] [-s srvtab]\n"); exit (1); } int main(int argc, char **argv) { int opt; int interactive = 0; krb_get_lrealm(realm, 1); while((opt = getopt(argc, argv, ":d:l:mp:P:r:s:i")) >= 0){ switch(opt){ case 'd': database = optarg; break; case 'l': logfile = optarg; break; case 'm': kdb_util_command = "merge"; break; case 'p': case 'P': kdb_util = optarg; break; case 'r': strlcpy(realm, optarg, REALM_SZ); break; case 's': srvtab = optarg; break; case 'i': interactive = 1; break; default: klog(L_KRB_PERR, "Bad option: -%c", optopt); usage (); exit(1); } } if (!interactive) { /* Use logfile as stderr so we don't lose error messages. */ int fd = open(logfile, O_CREAT | O_WRONLY | O_APPEND, 0600); if (fd == -1) klog(L_KRB_PERR, "Can't open logfile %s: %s", logfile,strerror(errno)); else dup2(fd, 2); close(fd); } kset_logfile(logfile); if (interactive) return doit_interactive (); else return doit (); }