1 /* 2 * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "hprop.h" 35 36 static int inetd_flag = -1; 37 static int help_flag; 38 static int version_flag; 39 static int print_dump; 40 static const char *database; 41 static int from_stdin; 42 static char *local_realm; 43 static char *ktname = NULL; 44 45 struct getargs args[] = { 46 { "database", 'd', arg_string, rk_UNCONST(&database), "database", "file" }, 47 { "stdin", 'n', arg_flag, &from_stdin, "read from stdin", NULL }, 48 { "print", 0, arg_flag, &print_dump, "print dump to stdout", NULL }, 49 #ifdef SUPPORT_INETD 50 { "inetd", 'i', arg_negative_flag, &inetd_flag, 51 "Not started from inetd", NULL }, 52 #endif 53 { "keytab", 'k', arg_string, &ktname, "keytab to use for authentication", "keytab" }, 54 { "realm", 'r', arg_string, &local_realm, "realm to use", NULL }, 55 { "version", 0, arg_flag, &version_flag, NULL, NULL }, 56 { "help", 'h', arg_flag, &help_flag, NULL, NULL} 57 }; 58 59 static int num_args = sizeof(args) / sizeof(args[0]); 60 static char unparseable_name[] = "unparseable name"; 61 62 static void 63 usage(int ret) 64 { 65 arg_printusage (args, num_args, NULL, ""); 66 exit (ret); 67 } 68 69 int 70 main(int argc, char **argv) 71 { 72 krb5_error_code ret; 73 krb5_context context; 74 krb5_auth_context ac = NULL; 75 krb5_principal c1, c2; 76 krb5_authenticator authent; 77 krb5_keytab keytab; 78 krb5_socket_t sock = rk_INVALID_SOCKET; 79 HDB *db = NULL; 80 int optidx = 0; 81 char *tmp_db; 82 krb5_log_facility *fac; 83 int nprincs; 84 85 setprogname(argv[0]); 86 87 ret = krb5_init_context(&context); 88 if(ret) 89 exit(1); 90 91 ret = krb5_openlog(context, "hpropd", &fac); 92 if(ret) 93 errx(1, "krb5_openlog"); 94 krb5_set_warn_dest(context, fac); 95 96 if(getarg(args, num_args, argc, argv, &optidx)) 97 usage(1); 98 99 if(local_realm != NULL) 100 krb5_set_default_realm(context, local_realm); 101 102 if(help_flag) 103 usage(0); 104 if(version_flag) { 105 print_version(NULL); 106 exit(0); 107 } 108 109 argc -= optidx; 110 #ifndef __clang_analyzer__ 111 argv += optidx; 112 #endif 113 114 if (argc != 0) 115 usage(1); 116 117 if (database == NULL) 118 database = hdb_default_db(context); 119 120 if(from_stdin) { 121 sock = STDIN_FILENO; 122 } else { 123 struct sockaddr_storage ss; 124 struct sockaddr *sa = (struct sockaddr *)&ss; 125 socklen_t sin_len = sizeof(ss); 126 char addr_name[256]; 127 krb5_ticket *ticket; 128 char *server; 129 130 memset(&ss, 0, sizeof(ss)); 131 sock = STDIN_FILENO; 132 #ifdef SUPPORT_INETD 133 if (inetd_flag == -1) { 134 if (getpeername (sock, sa, &sin_len) < 0) { 135 inetd_flag = 0; 136 } else { 137 inetd_flag = 1; 138 } 139 } 140 #else 141 inetd_flag = 0; 142 #endif 143 if (!inetd_flag) { 144 mini_inetd (krb5_getportbyname (context, "hprop", "tcp", 145 HPROP_PORT), &sock); 146 } 147 sin_len = sizeof(ss); 148 if(getpeername(sock, sa, &sin_len) < 0) 149 krb5_err(context, 1, errno, "getpeername"); 150 151 if (inet_ntop(sa->sa_family, 152 socket_get_address (sa), 153 addr_name, 154 sizeof(addr_name)) == NULL) 155 strlcpy (addr_name, "unknown address", 156 sizeof(addr_name)); 157 158 krb5_log(context, fac, 0, "Connection from %s", addr_name); 159 160 ret = krb5_kt_register(context, &hdb_kt_ops); 161 if(ret) 162 krb5_err(context, 1, ret, "krb5_kt_register"); 163 164 if (ktname != NULL) { 165 ret = krb5_kt_resolve(context, ktname, &keytab); 166 if (ret) 167 krb5_err (context, 1, ret, "krb5_kt_resolve %s", ktname); 168 } else { 169 ret = krb5_kt_default (context, &keytab); 170 if (ret) 171 krb5_err (context, 1, ret, "krb5_kt_default"); 172 } 173 174 ret = krb5_recvauth(context, &ac, &sock, HPROP_VERSION, NULL, 175 0, keytab, &ticket); 176 if(ret) 177 krb5_err(context, 1, ret, "krb5_recvauth"); 178 179 ret = krb5_unparse_name(context, ticket->server, &server); 180 if (ret) 181 krb5_err(context, 1, ret, "krb5_unparse_name"); 182 if (strncmp(server, "hprop/", 5) != 0) 183 krb5_errx(context, 1, "ticket not for hprop (%s)", server); 184 185 free(server); 186 krb5_free_ticket (context, ticket); 187 188 ret = krb5_auth_con_getauthenticator(context, ac, &authent); 189 if(ret) 190 krb5_err(context, 1, ret, "krb5_auth_con_getauthenticator"); 191 192 ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL); 193 if(ret) 194 krb5_err(context, 1, ret, "krb5_make_principal"); 195 _krb5_principalname2krb5_principal(context, &c2, 196 authent->cname, authent->crealm); 197 if(!krb5_principal_compare(context, c1, c2)) { 198 char *s; 199 ret = krb5_unparse_name(context, c2, &s); 200 if (ret) 201 s = unparseable_name; 202 krb5_errx(context, 1, "Unauthorized connection from %s", s); 203 } 204 krb5_free_principal(context, c1); 205 krb5_free_principal(context, c2); 206 207 ret = krb5_kt_close(context, keytab); 208 if(ret) 209 krb5_err(context, 1, ret, "krb5_kt_close"); 210 } 211 212 if(!print_dump) { 213 asprintf(&tmp_db, "%s~", database); 214 215 ret = hdb_create(context, &db, tmp_db); 216 if(ret) 217 krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db); 218 ret = db->hdb_open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600); 219 if(ret) 220 krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db); 221 } 222 223 nprincs = 0; 224 while(1){ 225 krb5_data data; 226 hdb_entry_ex entry; 227 228 if(from_stdin) { 229 ret = krb5_read_message(context, &sock, &data); 230 if(ret != 0 && ret != HEIM_ERR_EOF) 231 krb5_err(context, 1, ret, "krb5_read_message"); 232 } else { 233 ret = krb5_read_priv_message(context, ac, &sock, &data); 234 if(ret) 235 krb5_err(context, 1, ret, "krb5_read_priv_message"); 236 } 237 238 if(ret == HEIM_ERR_EOF || data.length == 0) { 239 if(!from_stdin) { 240 data.data = NULL; 241 data.length = 0; 242 krb5_write_priv_message(context, ac, &sock, &data); 243 } 244 if(!print_dump) { 245 ret = db->hdb_close(context, db); 246 if(ret) 247 krb5_err(context, 1, ret, "db_close"); 248 ret = db->hdb_rename(context, db, database); 249 if(ret) 250 krb5_err(context, 1, ret, "db_rename"); 251 } 252 break; 253 } 254 memset(&entry, 0, sizeof(entry)); 255 ret = hdb_value2entry(context, &data, &entry.entry); 256 krb5_data_free(&data); 257 if(ret) 258 krb5_err(context, 1, ret, "hdb_value2entry"); 259 if(print_dump) 260 hdb_print_entry(context, db, &entry, stdout); 261 else { 262 ret = db->hdb_store(context, db, 0, &entry); 263 if(ret == HDB_ERR_EXISTS) { 264 char *s; 265 ret = krb5_unparse_name(context, entry.entry.principal, &s); 266 if (ret) 267 s = strdup(unparseable_name); 268 krb5_warnx(context, "Entry exists: %s", s); 269 free(s); 270 } else if(ret) 271 krb5_err(context, 1, ret, "db_store"); 272 else 273 nprincs++; 274 } 275 hdb_free_entry(context, &entry); 276 } 277 if (!print_dump) 278 krb5_log(context, fac, 0, "Received %d principals", nprincs); 279 280 if (inetd_flag == 0) 281 rk_closesocket(sock); 282 283 exit(0); 284 } 285