4 * Copyright 1990,1991 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. M.I.T. makes no representations about the suitability of
20 * this software for any purpose. It is provided "as is" without express
21 * or implied warranty.
33 #include <sys/types.h>
36 #include <sys/socket.h>
37 #include <netinet/in.h>
38 #include <sys/param.h>
46 static char *kprop_version = KPROP_PROT_VERSION;
53 char *file = KPROP_DEFAULT_FILE;
56 krb5_principal my_principal; /* The Kerberos principal we'll be */
57 /* running under, initialized in */
59 krb5_ccache ccache; /* Credentials cache which we'll be using */
60 /* krb5_creds my_creds; /* My credentials */
62 krb5_address sender_addr;
63 krb5_address receiver_addr;
66 PROTOTYPE((int, char **));
68 PROTOTYPE((krb5_context));
71 krb5_error_code open_connection
72 PROTOTYPE((char *, int *, char *));
73 void kerberos_authenticate
74 PROTOTYPE((krb5_context, krb5_auth_context *,
75 int, krb5_principal, krb5_creds **));
77 PROTOTYPE((krb5_context, char *, int *));
79 PROTOTYPE((krb5_context, int));
81 PROTOTYPE((krb5_context, krb5_auth_context, krb5_creds *,
84 PROTOTYPE((krb5_context, krb5_creds *, int, char *, krb5_error_code));
85 void update_last_prop_file
86 PROTOTYPE((char *, char *));
90 fprintf(stderr, "\nUsage: %s [-r realm] [-f file] [-d] [-P port] [-s srvtab] slave_host\n\n",
100 int fd, database_fd, database_size;
101 krb5_error_code retval;
102 krb5_context context;
103 krb5_creds *my_creds;
104 krb5_auth_context auth_context;
107 krb5_init_context(&context);
108 krb5_init_ets(context);
110 get_tickets(context);
112 database_fd = open_database(context, file, &database_size);
113 if (retval = open_connection(slave_host, &fd, Errmsg)) {
114 com_err(progname, retval, "%s while opening connection to %s",
119 fprintf(stderr, "%s: %s while opening connection to %s\n",
120 progname, Errmsg, slave_host);
123 kerberos_authenticate(context, &auth_context, fd, my_principal,
125 xmit_database(context, auth_context, my_creds, fd, database_fd,
127 update_last_prop_file(slave_host, file);
128 printf("Database propagation to %s: SUCCEEDED\n", slave_host);
129 krb5_free_cred_contents(context, my_creds);
130 close_database(context, database_fd);
138 register char *word, ch;
141 while (--argc && (word = *argv++)) {
144 while (word && (ch = *word++)) {
169 port = htons(atoi(word));
171 port = htons(atoi(*argv++));
201 void get_tickets(context)
202 krb5_context context;
204 char my_host_name[MAXHOSTNAMELEN];
208 krb5_error_code retval;
209 static char tkstring[] = "/tmp/kproptktXXXXXX";
210 krb5_keytab keytab = NULL;
213 * Figure out what tickets we'll be using to send stuff
215 retval = krb5_sname_to_principal(context, NULL, NULL,
216 KRB5_NT_SRV_HST, &my_principal);
218 com_err(progname, errno, "while setting client principal name");
222 (void) krb5_xfree(krb5_princ_realm(context, my_principal)->data);
223 krb5_princ_set_realm_length(context, my_principal, strlen(realm));
224 krb5_princ_set_realm_data(context, my_principal, strdup(realm));
227 krb5_princ_type(context, my_principal) = KRB5_NT_PRINCIPAL;
231 * Initialize cache file which we're going to be using
233 (void) mktemp(tkstring);
234 sprintf(buf, "FILE:%s", tkstring);
235 if (retval = krb5_cc_resolve(context, buf, &ccache)) {
236 com_err(progname, retval, "while opening credential cache %s",
240 if (retval = krb5_cc_initialize(context, ccache, my_principal)) {
241 com_err (progname, retval, "when initializing cache %s",
247 * Get the tickets we'll need.
249 * Construct the principal name for the slave host.
251 memset((char *)&creds, 0, sizeof(creds));
252 retval = krb5_sname_to_principal(context,
253 slave_host, KPROP_SERVICE_NAME,
254 KRB5_NT_SRV_HST, &creds.server);
256 com_err(progname, errno, "while setting server principal name");
257 (void) krb5_cc_destroy(context, ccache);
261 (void) krb5_xfree(krb5_princ_realm(context, creds.server)->data);
262 krb5_princ_set_realm_length(context, creds.server, strlen(realm));
263 krb5_princ_set_realm_data(context, creds.server, strdup(realm));
267 * Now fill in the client....
269 if (retval = krb5_copy_principal(context, my_principal, &creds.client)) {
270 com_err(progname, retval, "While copying client principal");
271 (void) krb5_cc_destroy(context, ccache);
275 if (retval = krb5_kt_resolve(context, srvtab, &keytab)) {
276 com_err(progname, retval, "while resolving keytab");
277 (void) krb5_cc_destroy(context, ccache);
282 retval = krb5_get_in_tkt_with_keytab(context, 0, 0, NULL,
283 NULL, keytab, ccache, &creds, 0);
285 com_err(progname, retval, "while getting initial ticket\n");
286 (void) krb5_cc_destroy(context, ccache);
291 (void) krb5_kt_close(context, keytab);
294 * Now destroy the cache right away --- the credentials we
295 * need will be in my_creds.
297 if (retval = krb5_cc_destroy(context, ccache)) {
298 com_err(progname, retval, "while destroying ticket cache");
304 open_connection(host, fd, Errmsg)
310 krb5_error_code retval;
313 register struct servent *sp;
314 struct sockaddr_in sin;
317 hp = gethostbyname(host);
319 (void) sprintf(Errmsg, "%s: unknown host", host);
323 sin.sin_family = hp->h_addrtype;
324 memcpy((char *)&sin.sin_addr, hp->h_addr, hp->h_length);
326 sp = getservbyname(KPROP_SERVICE, "tcp");
328 (void) strcpy(Errmsg, KPROP_SERVICE);
329 (void) strcat(Errmsg, "/tcp: unknown service");
333 sin.sin_port = sp->s_port;
336 s = socket(AF_INET, SOCK_STREAM, 0);
339 (void) sprintf(Errmsg, "in call to socket");
342 if (connect(s, (struct sockaddr *)&sin, sizeof sin) < 0) {
345 (void) sprintf(Errmsg, "in call to connect");
351 * Set receiver_addr and sender_addr.
353 receiver_addr.addrtype = ADDRTYPE_INET;
354 receiver_addr.length = sizeof(sin.sin_addr);
355 receiver_addr.contents = (krb5_octet *) malloc(sizeof(sin.sin_addr));
356 memcpy((char *) receiver_addr.contents, (char *) &sin.sin_addr,
357 sizeof(sin.sin_addr));
359 socket_length = sizeof(sin);
360 if (getsockname(s, (struct sockaddr *)&sin, &socket_length) < 0) {
363 (void) sprintf(Errmsg, "in call to getsockname");
366 sender_addr.addrtype = ADDRTYPE_INET;
367 sender_addr.length = sizeof(sin.sin_addr);
368 sender_addr.contents = (krb5_octet *) malloc(sizeof(sin.sin_addr));
369 memcpy((char *) sender_addr.contents, (char *) &sin.sin_addr,
370 sizeof(sin.sin_addr));
376 void kerberos_authenticate(context, auth_context, fd, me, new_creds)
377 krb5_context context;
378 krb5_auth_context *auth_context;
381 krb5_creds ** new_creds;
383 krb5_error_code retval;
384 krb5_error *error = NULL;
385 krb5_ap_rep_enc_part *rep_result;
387 if (retval = krb5_auth_con_init(context, auth_context))
390 krb5_auth_con_setflags(context, *auth_context,
391 KRB5_AUTH_CONTEXT_DO_SEQUENCE);
393 if (retval = krb5_auth_con_setaddrs(context, *auth_context, &sender_addr,
395 com_err(progname, retval, "in krb5_auth_con_setaddrs");
399 if (retval = krb5_sendauth(context, auth_context, (void *)&fd,
400 kprop_version, me, creds.server,
401 AP_OPTS_MUTUAL_REQUIRED, NULL, &creds, NULL,
402 &error, &rep_result, new_creds)) {
403 com_err(progname, retval, "while authenticating to server");
405 if (error->error == KRB_ERR_GENERIC) {
406 if (error->text.data)
408 "Generic remote error: %s\n",
410 } else if (error->error) {
412 error->error + ERROR_TABLE_BASE_krb5,
413 "signalled from server");
414 if (error->text.data)
416 "Error text from server: %s\n",
419 krb5_free_error(context, error);
423 krb5_free_ap_rep_enc_part(context, rep_result);
428 * Open the Kerberos database dump file. Takes care of locking it
429 * and making sure that the .ok file is more recent that the database
432 * Returns the file descriptor of the database dump file. Also fills
433 * in the size of the database file.
436 open_database(context, data_fn, size)
437 krb5_context context;
443 struct stat stbuf, stbuf_ok;
445 static char ok[] = ".dump_ok";
447 dbpathname = strdup(data_fn);
449 com_err(progname, ENOMEM, "allocating database file name '%s'",
453 if ((fd = open(dbpathname, O_RDONLY)) < 0) {
454 com_err(progname, errno, "while trying to open %s",
459 err = krb5_lock_file(context, fd,
460 KRB5_LOCKMODE_SHARED|KRB5_LOCKMODE_DONTBLOCK);
461 if (err == EAGAIN || err == EWOULDBLOCK || errno == EACCES) {
462 com_err(progname, 0, "database locked");
465 com_err(progname, err, "while trying to lock '%s'", dbpathname);
468 if (fstat(fd, &stbuf)) {
469 com_err(progname, errno, "while trying to stat %s",
473 if ((data_ok_fn = (char *) malloc(strlen(data_fn)+strlen(ok)+1))
475 com_err(progname, ENOMEM, "while trying to malloc data_ok_fn");
478 strcat(strcpy(data_ok_fn, data_fn), ok);
479 if (stat(data_ok_fn, &stbuf_ok)) {
480 com_err(progname, errno, "while trying to stat %s",
486 if (stbuf.st_mtime > stbuf_ok.st_mtime) {
487 com_err(progname, 0, "'%s' more recent than '%s'.",
488 data_fn, data_ok_fn);
491 *size = stbuf.st_size;
496 close_database(context, fd)
497 krb5_context context;
501 if (err = krb5_lock_file(context, fd, KRB5_LOCKMODE_UNLOCK))
502 com_err(progname, err, "while unlocking database '%s'", dbpathname);
509 * Now we send over the database. We use the following protocol:
510 * Send over a KRB_SAFE message with the size. Then we send over the
511 * database in blocks of KPROP_BLKSIZE, encrypted using KRB_PRIV.
512 * Then we expect to see a KRB_SAFE message with the size sent back.
514 * At any point in the protocol, we may send a KRB_ERROR message; this
515 * will abort the entire operation.
518 xmit_database(context, auth_context, my_creds, fd, database_fd, database_size)
519 krb5_context context;
520 krb5_auth_context auth_context;
521 krb5_creds *my_creds;
526 krb5_int32 send_size, sent_size, n;
527 krb5_data inbuf, outbuf;
528 char buf[KPROP_BUFSIZ];
529 krb5_error_code retval;
535 send_size = htonl(database_size);
536 inbuf.data = (char *) &send_size;
537 inbuf.length = sizeof(send_size); /* must be 4, really */
538 /* KPROP_CKSUMTYPE */
539 if (retval = krb5_mk_safe(context, auth_context, &inbuf,
541 com_err(progname, retval, "while encoding database size");
542 send_error(context, my_creds, fd, "while encoding database size", retval);
545 if (retval = krb5_write_message(context, (void *) &fd, &outbuf)) {
546 krb5_xfree(outbuf.data);
547 com_err(progname, retval, "while sending database size");
550 krb5_xfree(outbuf.data);
552 * Initialize the initial vector.
554 if (retval = krb5_auth_con_initivector(context, auth_context)) {
555 send_error(context, my_creds, fd,
556 "failed while initializing i_vector", retval);
557 com_err(progname, retval, "while allocating i_vector");
561 * Send over the file, block by block....
565 while (n = read(database_fd, buf, sizeof(buf))) {
567 if (retval = krb5_mk_priv(context, auth_context, &inbuf,
570 "while encoding database block starting at %d",
572 com_err(progname, retval, buf);
573 send_error(context, my_creds, fd, buf, retval);
576 if (retval = krb5_write_message(context, (void *)&fd,&outbuf)) {
577 krb5_xfree(outbuf.data);
578 com_err(progname, retval,
579 "while sending database block starting at %d",
583 krb5_xfree(outbuf.data);
586 printf("%d bytes sent.\n", sent_size);
588 if (sent_size != database_size) {
589 com_err(progname, 0, "Premature EOF found for database file!");
590 send_error(context, my_creds, fd,"Premature EOF found for database file!",
591 KRB5KRB_ERR_GENERIC);
595 * OK, we've sent the database; now let's wait for a success
596 * indication from the remote end.
598 if (retval = krb5_read_message(context, (void *) &fd, &inbuf)) {
599 com_err(progname, retval,
600 "while reading response from server");
604 * If we got an error response back from the server, display
607 if (krb5_is_krb_error(&inbuf)) {
608 if (retval = krb5_rd_error(context, &inbuf, &error)) {
609 com_err(progname, retval,
610 "while decoding error response from server");
613 if (error->error == KRB_ERR_GENERIC) {
614 if (error->text.data)
616 "Generic remote error: %s\n",
618 } else if (error->error) {
619 com_err(progname, error->error + ERROR_TABLE_BASE_krb5,
620 "signalled from server");
621 if (error->text.data)
623 "Error text from server: %s\n",
626 krb5_free_error(context, error);
629 if (retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL)) {
630 com_err(progname, retval,
631 "while decoding final size packet from server");
634 memcpy((char *)&send_size, outbuf.data, sizeof(send_size));
635 send_size = ntohl(send_size);
636 if (send_size != database_size) {
638 "Kpropd sent database size %d, expecting %d",
639 send_size, database_size);
647 send_error(context, my_creds, fd, err_text, err_code)
648 krb5_context context;
649 krb5_creds *my_creds;
652 krb5_error_code err_code;
658 memset((char *)&error, 0, sizeof(error));
659 krb5_us_timeofday(context, &error.ctime, &error.cusec);
660 error.server = my_creds->server;
661 error.client = my_principal;
662 error.error = err_code - ERROR_TABLE_BASE_krb5;
663 if (error.error > 127)
664 error.error = KRB_ERR_GENERIC;
668 text = error_message(err_code);
669 error.text.length = strlen(text) + 1;
670 if (error.text.data = malloc(error.text.length)) {
671 strcpy(error.text.data, text);
672 if (!krb5_mk_error(context, &error, &outbuf)) {
673 (void) krb5_write_message(context, (void *)&fd,&outbuf);
674 krb5_xfree(outbuf.data);
676 free(error.text.data);
680 void update_last_prop_file(hostname, file_name)
684 /* handle slave locking/failure stuff */
685 char *file_last_prop;
687 static char last_prop[]=".last_prop";
689 if ((file_last_prop = (char *)malloc(strlen(file_name) +
690 strlen(hostname) + 1 +
691 strlen(last_prop) + 1)) == NULL) {
692 com_err(progname, ENOMEM,
693 "while allocating filename for update_last_prop_file");
696 strcpy(file_last_prop, file_name);
697 strcat(file_last_prop, ".");
698 strcat(file_last_prop, hostname);
699 strcat(file_last_prop, last_prop);
700 if ((fd = THREEPARAMOPEN(file_last_prop, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
701 com_err(progname, errno,
702 "while creating 'last_prop' file, '%s'",
704 free(file_last_prop);
708 free(file_last_prop);
projects / krb5.git / blob