1 /* 2 * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "hprop.h" 35 36 static int inetd_flag = -1; 37 static int help_flag; 38 static int version_flag; 39 static int print_dump; 40 static const char *database; 41 static int from_stdin; 42 static char *local_realm; 43 static char *ktname = NULL; 44 45 struct getargs args[] = { 46 { "database", 'd', arg_string, rk_UNCONST(&database), "database", "file" }, 47 { "stdin", 'n', arg_flag, &from_stdin, "read from stdin", NULL }, 48 { "print", 0, arg_flag, &print_dump, "print dump to stdout", NULL }, 49 #ifdef SUPPORT_INETD 50 { "inetd", 'i', arg_negative_flag, &inetd_flag, 51 "Not started from inetd", NULL }, 52 #endif 53 { "keytab", 'k', arg_string, &ktname, "keytab to use for authentication", "keytab" }, 54 { "realm", 'r', arg_string, &local_realm, "realm to use", NULL }, 55 { "version", 0, arg_flag, &version_flag, NULL, NULL }, 56 { "help", 'h', arg_flag, &help_flag, NULL, NULL} 57 }; 58 59 static int num_args = sizeof(args) / sizeof(args[0]); 60 static char unparseable_name[] = "unparseable name"; 61 62 static void 63 usage(int ret) 64 { 65 arg_printusage (args, num_args, NULL, ""); 66 exit (ret); 67 } 68 69 int 70 main(int argc, char **argv) 71 { 72 krb5_error_code ret; 73 krb5_context context; 74 krb5_auth_context ac = NULL; 75 krb5_principal c1, c2; 76 krb5_authenticator authent; 77 krb5_keytab keytab; 78 krb5_socket_t sock = rk_INVALID_SOCKET; 79 HDB *db = NULL; 80 int optidx = 0; 81 char *tmp_db; 82 krb5_log_facility *fac; 83 int nprincs; 84 85 setprogname(argv[0]); 86 87 ret = krb5_init_context(&context); 88 if(ret) 89 exit(1); 90 91 ret = krb5_openlog(context, "hpropd", &fac); 92 if(ret) 93 errx(1, "krb5_openlog"); 94 krb5_set_warn_dest(context, fac); 95 96 if(getarg(args, num_args, argc, argv, &optidx)) 97 usage(1); 98 99 if(local_realm != NULL) 100 krb5_set_default_realm(context, local_realm); 101 102 if(help_flag) 103 usage(0); 104 if(version_flag) { 105 print_version(NULL); 106 exit(0); 107 } 108 109 argc -= optidx; 110 argv += optidx; 111 112 if (argc != 0) 113 usage(1); 114 115 if (database == NULL) 116 database = hdb_default_db(context); 117 118 if(from_stdin) { 119 sock = STDIN_FILENO; 120 } else { 121 struct sockaddr_storage ss; 122 struct sockaddr *sa = (struct sockaddr *)&ss; 123 socklen_t sin_len = sizeof(ss); 124 char addr_name[256]; 125 krb5_ticket *ticket; 126 char *server; 127 128 sock = STDIN_FILENO; 129 #ifdef SUPPORT_INETD 130 if (inetd_flag == -1) { 131 if (getpeername (sock, sa, &sin_len) < 0) { 132 inetd_flag = 0; 133 } else { 134 inetd_flag = 1; 135 } 136 } 137 #else 138 inetd_flag = 0; 139 #endif 140 if (!inetd_flag) { 141 mini_inetd (krb5_getportbyname (context, "hprop", "tcp", 142 HPROP_PORT), &sock); 143 } 144 sin_len = sizeof(ss); 145 if(getpeername(sock, sa, &sin_len) < 0) 146 krb5_err(context, 1, errno, "getpeername"); 147 148 if (inet_ntop(sa->sa_family, 149 socket_get_address (sa), 150 addr_name, 151 sizeof(addr_name)) == NULL) 152 strlcpy (addr_name, "unknown address", 153 sizeof(addr_name)); 154 155 krb5_log(context, fac, 0, "Connection from %s", addr_name); 156 157 ret = krb5_kt_register(context, &hdb_kt_ops); 158 if(ret) 159 krb5_err(context, 1, ret, "krb5_kt_register"); 160 161 if (ktname != NULL) { 162 ret = krb5_kt_resolve(context, ktname, &keytab); 163 if (ret) 164 krb5_err (context, 1, ret, "krb5_kt_resolve %s", ktname); 165 } else { 166 ret = krb5_kt_default (context, &keytab); 167 if (ret) 168 krb5_err (context, 1, ret, "krb5_kt_default"); 169 } 170 171 ret = krb5_recvauth(context, &ac, &sock, HPROP_VERSION, NULL, 172 0, keytab, &ticket); 173 if(ret) 174 krb5_err(context, 1, ret, "krb5_recvauth"); 175 176 ret = krb5_unparse_name(context, ticket->server, &server); 177 if (ret) 178 krb5_err(context, 1, ret, "krb5_unparse_name"); 179 if (strncmp(server, "hprop/", 5) != 0) 180 krb5_errx(context, 1, "ticket not for hprop (%s)", server); 181 182 free(server); 183 krb5_free_ticket (context, ticket); 184 185 ret = krb5_auth_con_getauthenticator(context, ac, &authent); 186 if(ret) 187 krb5_err(context, 1, ret, "krb5_auth_con_getauthenticator"); 188 189 ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL); 190 if(ret) 191 krb5_err(context, 1, ret, "krb5_make_principal"); 192 _krb5_principalname2krb5_principal(context, &c2, 193 authent->cname, authent->crealm); 194 if(!krb5_principal_compare(context, c1, c2)) { 195 char *s; 196 ret = krb5_unparse_name(context, c2, &s); 197 if (ret) 198 s = unparseable_name; 199 krb5_errx(context, 1, "Unauthorized connection from %s", s); 200 } 201 krb5_free_principal(context, c1); 202 krb5_free_principal(context, c2); 203 204 ret = krb5_kt_close(context, keytab); 205 if(ret) 206 krb5_err(context, 1, ret, "krb5_kt_close"); 207 } 208 209 if(!print_dump) { 210 asprintf(&tmp_db, "%s~", database); 211 212 ret = hdb_create(context, &db, tmp_db); 213 if(ret) 214 krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db); 215 ret = db->hdb_open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600); 216 if(ret) 217 krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db); 218 } 219 220 nprincs = 0; 221 while(1){ 222 krb5_data data; 223 hdb_entry_ex entry; 224 225 if(from_stdin) { 226 ret = krb5_read_message(context, &sock, &data); 227 if(ret != 0 && ret != HEIM_ERR_EOF) 228 krb5_err(context, 1, ret, "krb5_read_message"); 229 } else { 230 ret = krb5_read_priv_message(context, ac, &sock, &data); 231 if(ret) 232 krb5_err(context, 1, ret, "krb5_read_priv_message"); 233 } 234 235 if(ret == HEIM_ERR_EOF || data.length == 0) { 236 if(!from_stdin) { 237 data.data = NULL; 238 data.length = 0; 239 krb5_write_priv_message(context, ac, &sock, &data); 240 } 241 if(!print_dump) { 242 ret = db->hdb_close(context, db); 243 if(ret) 244 krb5_err(context, 1, ret, "db_close"); 245 ret = db->hdb_rename(context, db, database); 246 if(ret) 247 krb5_err(context, 1, ret, "db_rename"); 248 } 249 break; 250 } 251 memset(&entry, 0, sizeof(entry)); 252 ret = hdb_value2entry(context, &data, &entry.entry); 253 krb5_data_free(&data); 254 if(ret) 255 krb5_err(context, 1, ret, "hdb_value2entry"); 256 if(print_dump) 257 hdb_print_entry(context, db, &entry, stdout); 258 else { 259 ret = db->hdb_store(context, db, 0, &entry); 260 if(ret == HDB_ERR_EXISTS) { 261 char *s; 262 ret = krb5_unparse_name(context, entry.entry.principal, &s); 263 if (ret) 264 s = strdup(unparseable_name); 265 krb5_warnx(context, "Entry exists: %s", s); 266 free(s); 267 } else if(ret) 268 krb5_err(context, 1, ret, "db_store"); 269 else 270 nprincs++; 271 } 272 hdb_free_entry(context, &entry); 273 } 274 if (!print_dump) 275 krb5_log(context, fac, 0, "Received %d principals", nprincs); 276 277 if (inetd_flag == 0) 278 rk_closesocket(sock); 279 280 exit(0); 281 } 282