Unacked *rlm_nacklist = NULL; /* not acked list for realm-realm
packets */
-Realm *otherrealms; /* points to an array of the known
+ZRealm *otherrealms; /* points to an array of the known
servers */
int nrealms = 0; /* number of other realms */
/*
* External Routines:
*
- * Realm *realm_which_realm(struct sockaddr_in *who)
+ * ZRealm *realm_which_realm(struct sockaddr_in *who)
* figures out if this packet came from another realm's server
*
- * Realm *realm_get_realm_by_pid(int pid)
+ * ZRealm *realm_get_realm_by_pid(int pid)
* figures out which realm a child handler was for
*
* void kill_realm_pids()
* int realm_sender_in_realm(char *realm, char *sender)
* figures out if sender is in realm
*
- * Realm *realm_get_realm_by_name(char *name)
+ * ZRealm *realm_get_realm_by_name(char *name)
* finds a realm struct from the realm array by name, tries expansion
*
* Code_t realm_dispatch(ZNotice_t *notice, int auth, struct sockaddr_in *who,
*
* Code_t realm_control_dispatch(ZNotice_t *notice, int auth,
* struct sockaddr_in *who, Server *server,
- * Realm *realm)
+ * ZRealm *realm)
* dispatches a foreign realm control message
*
* void realm_handoff(ZNotice_t *notice, int auth, struct sockaddr_in *who,
- * Realm *realm, int ack_to_sender)
+ * ZRealm *realm, int ack_to_sender)
* hands off a message to another realm
*
* void realm_dump_realms(File *fp)
* do a database dump of foreign realm info
*
*/
-static void realm_sendit __P((ZNotice_t *notice, struct sockaddr_in *who, int auth, Realm *realm, int ack_to_sender));
-static void realm_sendit_auth __P((ZNotice_t *notice, struct sockaddr_in *who, int auth, Realm *realm, int ack_to_sender));
+static void realm_sendit __P((ZNotice_t *notice, struct sockaddr_in *who, int auth, ZRealm *realm, int ack_to_sender));
+static Code_t realm_sendit_auth __P((ZNotice_t *notice, struct sockaddr_in *who, int auth, ZRealm *realm, int ack_to_sender));
static void rlm_ack __P((ZNotice_t *notice, Unacked *nacked));
static void rlm_nack_cancel __P((ZNotice_t *notice, struct sockaddr_in *who));
static void rlm_new_ticket __P(());
static void rlm_rexmit __P((void *arg));
-static Code_t realm_ulocate_dispatch __P((ZNotice_t *notice,int auth,struct sockaddr_in *who,Server *server,Realm *realm));
-static Code_t realm_new_server __P((struct sockaddr_in *, ZNotice_t *, Realm *));
-static Code_t realm_set_server __P((struct sockaddr_in *, Realm *));
+static Code_t realm_ulocate_dispatch __P((ZNotice_t *notice,int auth,struct sockaddr_in *who,Server *server,ZRealm *realm));
+static Code_t realm_new_server __P((struct sockaddr_in *, ZNotice_t *, ZRealm *));
+static Code_t realm_set_server __P((struct sockaddr_in *, ZRealm *));
#ifdef HAVE_KRB4
-static Code_t ticket_retrieve __P((Realm *realm));
+static Code_t ticket_retrieve __P((ZRealm *realm));
static int ticket_lookup __P((char *realm));
-static int ticket_expired __P((CREDENTIALS *cred));
#endif
static int
realm_get_idx_by_addr(realm, who)
- Realm *realm;
+ ZRealm *realm;
struct sockaddr_in *who;
{
struct sockaddr_in *addr;
realm_expand_realm(realmname)
char *realmname;
{
- Realm *realm;
+ ZRealm *realm;
int a;
/* First, look for an exact match (case insensitive) */
return(realmname);
}
-Realm *
+ZRealm *
realm_get_realm_by_pid(pid)
int pid;
{
- Realm *realm;
+ ZRealm *realm;
int a;
for (realm = otherrealms, a = 0; a < nrealms; a++, realm++)
void
kill_realm_pids()
{
- Realm *realm;
+ ZRealm *realm;
int a;
for (realm = otherrealms, a = 0; a < nrealms; a++, realm++)
return;
}
-Realmname *
+ZRealmname *
get_realm_lists(file)
char *file;
{
- Realmname *rlm_list, *rlm;
+ ZRealmname *rlm_list, *rlm;
int ii, nused, ntotal;
FILE *fp;
char buf[REALM_SZ + MAXHOSTNAMELEN + 1]; /* one for newline */
nused = 0;
if (!(fp = fopen(file, "r")))
- return((Realmname *)0);
+ return((ZRealmname *)0);
/* start with 16, realloc if necessary */
ntotal = 16;
- rlm_list = (Realmname *)malloc(ntotal * sizeof(Realmname));
+ rlm_list = (ZRealmname *)malloc(ntotal * sizeof(ZRealmname));
if (!rlm_list) {
syslog(LOG_CRIT, "get_realm_lists malloc");
abort();
/* new realm */
if (nused + 1 >= ntotal) {
/* make more space */
- rlm_list = (Realmname *)realloc((char *)rlm_list,
+ rlm_list = (ZRealmname *)realloc((char *)rlm_list,
(unsigned)ntotal * 2 *
- sizeof(Realmname));
+ sizeof(ZRealmname));
if (!rlm_list) {
syslog(LOG_CRIT, "get_realm_lists realloc");
abort();
}
}
if (nused + 1 >= ntotal) {
- rlm_list = (Realmname *)realloc((char *)rlm_list,
+ rlm_list = (ZRealmname *)realloc((char *)rlm_list,
(unsigned)(ntotal + 1) *
- sizeof(Realmname));
+ sizeof(ZRealmname));
if (!rlm_list) {
syslog(LOG_CRIT, "get_realm_lists realloc");
abort();
}
*rlm_list[nused].name = '\0';
+ fclose(fp);
return(rlm_list);
}
return 0;
}
-Realm *
+ZRealm *
realm_which_realm(who)
struct sockaddr_in *who;
{
- Realm *realm;
+ ZRealm *realm;
struct sockaddr_in *addr;
int a, b;
return 0;
}
-Realm *
+ZRealm *
realm_get_realm_by_name(name)
char *name;
{
int a;
- Realm *realm;
+ ZRealm *realm;
/* First, look for an exact match (case insensitive) */
for (realm = otherrealms, a = 0; a < nrealms; a++, realm++)
register ZNotice_t *notice;
struct sockaddr_in *who;
{
- register Realm *which = realm_which_realm(who);
+ register ZRealm *which = realm_which_realm(who);
register Unacked *nacked, *next;
ZPacket_t retval;
struct sockaddr_in *who;
Server *server;
{
- Realm *realm;
+ ZRealm *realm;
struct sockaddr_in newwho;
Code_t status = ZERR_NONE;
char rlm_recipient[REALM_SZ + 1];
realm_init()
{
Client *client;
- Realmname *rlmnames;
- Realm *rlm;
+ ZRealmname *rlmnames;
+ ZRealm *rlm;
int ii, jj, found;
struct in_addr *addresses;
struct hostent *hp;
for (nrealms = 0; *rlmnames[nrealms].name; nrealms++);
- otherrealms = (Realm *)malloc(nrealms * sizeof(Realm));
+ otherrealms = (ZRealm *)malloc(nrealms * sizeof(ZRealm));
if (!otherrealms) {
syslog(LOG_CRIT, "malloc failed in realm_init");
abort();
realm_deathgram(server)
Server *server;
{
- Realm *realm;
+ ZRealm *realm;
char rlm_recipient[REALM_SZ + 1];
int jj = 0;
}
#endif
- if ((retval = ZFormatNotice(&snotice, &pack, &packlen, ZAUTH))
+ if ((retval = ZFormatNotice(&snotice, &pack, &packlen, ZCAUTH))
!= ZERR_NONE)
{
syslog(LOG_WARNING, "rlm_deathgram format: %s",
realm_wakeup()
{
int jj, found = 0;
- Realm *realm;
+ ZRealm *realm;
char rlm_recipient[REALM_SZ + 1];
for (jj = 1; jj < nservers; jj++) { /* skip limbo server */
int auth;
struct sockaddr_in *who;
Server *server;
- Realm *realm;
+ ZRealm *realm;
{
register char *opcode = notice->z_opcode;
Code_t status;
int auth;
struct sockaddr_in *who;
Server *server;
- Realm *realm;
+ ZRealm *realm;
{
register char *opcode = notice->z_opcode;
Code_t status;
realm_new_server(sin, notice, realm)
struct sockaddr_in *sin;
ZNotice_t *notice;
- Realm *realm;
+ ZRealm *realm;
{
struct hostent *hp;
char suggested_server[MAXHOSTNAMELEN];
unsigned long addr;
- Realm *rlm;
+ ZRealm *rlm;
struct sockaddr_in sinaddr;
int srvidx;
static Code_t
realm_set_server(sin, realm)
struct sockaddr_in *sin;
- Realm *realm;
+ ZRealm *realm;
{
- Realm *rlm;
+ ZRealm *rlm;
rlm = realm_which_realm(sin);
/* Not exactly */
ZNotice_t *notice;
int auth;
struct sockaddr_in *who;
- Realm *realm;
+ ZRealm *realm;
int ack_to_sender;
{
#ifdef HAVE_KRB4
zdbug((LOG_DEBUG, "realm_sendit to realm %s auth %d", realm->name, auth));
/* valid ticket available now, send the message */
- realm_sendit_auth(notice, who, auth, realm, ack_to_sender);
+ retval = realm_sendit_auth(notice, who, auth, realm, ack_to_sender);
#else /* HAVE_KRB4 */
realm_sendit(notice, who, auth, realm, ack_to_sender);
#endif /* HAVE_KRB4 */
ZNotice_t *notice;
struct sockaddr_in *who;
int auth;
- Realm *realm;
+ ZRealm *realm;
int ack_to_sender;
{
caddr_t pack;
{
Unacked *nackpacket = (Unacked *) arg;
Code_t retval;
- register Realm *realm;
+ register ZRealm *realm;
int new_srv_idx;
zdbug((LOG_DEBUG,"rlm_rexmit"));
}
#ifdef HAVE_KRB4
-static void
+static Code_t
realm_sendit_auth(notice, who, auth, realm, ack_to_sender)
ZNotice_t *notice;
int auth;
struct sockaddr_in *who;
- Realm *realm;
+ ZRealm *realm;
int ack_to_sender;
{
char *buffer, *ptr;
Code_t retval;
Unacked *nacked;
char buf[1024], multi[64];
- CREDENTIALS cred;
- KTEXT_ST authent;
ZNotice_t partnotice, newnotice;
offset = 0;
- /* build an authent. first, make sure we have the ticket available */
- retval = krb_get_cred(SERVER_SERVICE, SERVER_INSTANCE, realm->name, &cred);
- if (retval != GC_OK) {
- syslog(LOG_WARNING, "rlm_sendit_auth get_cred: %s",
- error_message(retval+krb_err_base));
- return;
+ buffer = (char *) malloc(sizeof(ZPacket_t));
+ if (!buffer) {
+ syslog(LOG_ERR, "realm_sendit_auth malloc");
+ return ENOMEM; /* DON'T put on nack list */
}
- retval = krb_mk_req(&authent, SERVER_SERVICE, SERVER_INSTANCE,
- realm->name, 1);
- if (retval != MK_AP_OK) {
- syslog(LOG_WARNING, "rlm_sendit_auth mk_req: %s",
- error_message(retval+krb_err_base));
- return;
- }
+ buffer_len = sizeof(ZPacket_t);
- retval = ZMakeAscii(buf, sizeof(buf), authent.dat, authent.length);
+ newnotice = *notice;
+
+ hdrlen = 0;
+ retval = ZMakeZcodeRealmAuthentication(&newnotice, buffer, buffer_len,
+ &hdrlen, realm->name);
if (retval != ZERR_NONE) {
- syslog(LOG_WARNING, "rlm_sendit_auth mk_ascii: %s",
+ syslog(LOG_WARNING, "rlm_sendit_auth set addr: %s",
error_message(retval));
- return;
+ return (retval);
}
/* set the dest addr */
if (retval != ZERR_NONE) {
syslog(LOG_WARNING, "rlm_sendit_auth set addr: %s",
error_message(retval));
- return;
- }
-
- /* now format the notice, refragmenting if needed */
- newnotice = *notice;
- newnotice.z_auth = 1;
- newnotice.z_ascii_authent = buf;
- newnotice.z_authent_len = authent.length;
-
- buffer = (char *) malloc(sizeof(ZPacket_t));
- if (!buffer) {
- syslog(LOG_ERR, "realm_sendit_auth malloc");
- return; /* DON'T put on nack list */
- }
-
- buffer_len = sizeof(ZPacket_t);
-
- retval = Z_FormatRawHeader(&newnotice, buffer, buffer_len, &hdrlen, &ptr,
- NULL);
- if (retval != ZERR_NONE) {
- syslog(LOG_WARNING, "rlm_sendit_auth raw: %s", error_message(retval));
- free(buffer);
- return;
- }
-
-#ifdef NOENCRYPTION
- newnotice.z_checksum = 0;
-#else
- newnotice.z_checksum =
- (ZChecksum_t)des_quad_cksum(buffer, NULL, ptr - buffer, 0,
- cred.session);
-#endif
-
- retval = Z_FormatRawHeader(&newnotice, buffer, buffer_len, &hdrlen,
- NULL, NULL);
- if (retval != ZERR_NONE) {
- syslog(LOG_WARNING, "rlm_sendit_auth raw: %s", error_message(retval));
- free(buffer);
- return;
+ return (retval);
}
/* This is not terribly pretty, but it does do its job.
* but only the server uses it.
*/
- if ((newnotice.z_message_len+hdrlen > buffer_len) ||
- (newnotice.z_message_len+hdrlen > Z_MAXPKTLEN)) {
- /* Deallocate buffer, use a local one */
+ if ((notice->z_message_len+hdrlen > buffer_len) ||
+ (notice->z_message_len+hdrlen > Z_MAXPKTLEN)) {
+
+ /* Reallocate buffers inside the refragmenter */
free(buffer);
-
- partnotice = *notice;
- partnotice.z_auth = 1;
- partnotice.z_ascii_authent = buf;
- partnotice.z_authent_len = authent.length;
+ partnotice = *notice;
origoffset = 0;
origlen = notice->z_message_len;
syslog(LOG_ERR, "realm_sendit_auth malloc");
return; /* DON'T put on nack list */
}
-
- retval = Z_FormatRawHeader(&partnotice, buffer, buffer_len,
- &hdrlen, &ptr, NULL);
- if (retval != ZERR_NONE) {
- syslog(LOG_WARNING, "rlm_sendit_auth raw: %s",
- error_message(retval));
- free(buffer);
- return;
- }
-
-#ifdef NOENCRYPTION
- partnotice.z_checksum = 0;
-#else
- partnotice.z_checksum =
- (ZChecksum_t)des_quad_cksum(buffer, NULL, ptr - buffer, 0,
- cred.session);
-#endif
- retval = Z_FormatRawHeader(&partnotice, buffer, buffer_len,
- &hdrlen, NULL, NULL);
+ buffer_len = sizeof(ZPacket_t);
+
+ retval = ZMakeZcodeRealmAuthentication(&partnotice, buffer,
+ buffer_len, &hdrlen,
+ realm->name);
if (retval != ZERR_NONE) {
- syslog(LOG_WARNING, "rlm_sendit_auth raw: %s",
+ syslog(LOG_WARNING, "rlm_sendit_auth set addr: %s",
error_message(retval));
free(buffer);
- return;
+ return (retval);
}
ptr = buffer+hdrlen;
syslog(LOG_WARNING, "rlm_sendit_auth xmit: %s",
error_message(retval));
free(buffer);
- return;
+ return(retval);
}
if (!(nacked = (Unacked *)malloc(sizeof(Unacked)))) {
/* no space: just punt */
syslog(LOG_ERR, "rlm_sendit_auth nack malloc");
free(buffer);
- return;
+ return ENOMEM;
}
nacked->rexmits = 0;
if (!notice->z_message_len)
break;
}
-#if 0
- zdbug((LOG_DEBUG, "rlm_sendit_auth frag message sent"));
-#endif
- } else {
+ }
+ else {
/* This is easy, no further fragmentation needed */
ptr = buffer+hdrlen;
(void) memcpy(ptr, newnotice.z_message, newnotice.z_message_len);
- buffer_len = hdrlen+newnotice.z_message_len;
+ buffer_len = hdrlen+newnotice.z_message_len;
/* now send */
if ((retval = ZSendPacket(buffer, buffer_len, 0)) != ZERR_NONE) {
syslog(LOG_WARNING, "rlm_sendit_auth xmit: %s",
error_message(retval));
free(buffer);
- return;
+ return(retval);
}
-#if 0
- zdbug((LOG_DEBUG, "rlm_sendit_auth message sent"));
-#endif
/* now we've sent it, mark it as not ack'ed */
if (!(nacked = (Unacked *)malloc(sizeof(Unacked)))) {
/* no space: just punt */
syslog(LOG_ERR, "rlm_sendit_auth nack malloc");
free(buffer);
- return;
+ return 0;
}
nacked->rexmits = 0;
/* chain in */
LIST_INSERT(&rlm_nacklist, nacked);
}
- return;
-}
-
-static int
-ticket_expired(cred)
-CREDENTIALS *cred;
-{
-#ifdef HAVE_KRB_LIFE_TO_TIME
- return (krb_life_to_time(cred->issue_date, cred->lifetime) < NOW);
-#else /* HAVE_KRB_LIFE_TO_TIME */
- return (cred->issue_date + cred->lifetime*5*60 < NOW);
-#endif /* HAVE_KRB_LIFE_TO_TIME */
+ return 0;
}
static int
ticket_lookup(realm)
char *realm;
{
- CREDENTIALS cred;
- KTEXT_ST authent;
- int retval;
+ krb5_error_code result;
+ krb5_timestamp sec;
+ krb5_ccache ccache;
+ krb5_creds creds_in, *creds;
+
+ result = krb5_cc_default(Z_krb5_ctx, &ccache);
+ if (result)
+ return 0;
+
+ memset(&creds_in, 0, sizeof(creds_in));
+
+ result = krb5_cc_get_principal(Z_krb5_ctx, ccache, &creds_in.client);
+ if (result) {
+ krb5_cc_close(Z_krb5_ctx, ccache);
+ return 0;
+ }
+
+ result = krb5_build_principal(Z_krb5_ctx, &creds_in.server,
+ strlen(realm),
+ realm,
+ SERVER_KRB5_SERVICE, SERVER_INSTANCE, 0);
+ if (result) {
+ krb5_cc_close(Z_krb5_ctx, ccache);
+ return 0;
+ }
- retval = krb_get_cred(SERVER_SERVICE, SERVER_INSTANCE, realm, &cred);
- if (retval == GC_OK && !ticket_expired(&cred))
- /* good ticket */
- return(1);
+ result = krb5_get_credentials(Z_krb5_ctx, 0 /* flags */, ccache,
+ &creds_in, &creds);
+ krb5_cc_close(Z_krb5_ctx, ccache);
+ /* good ticket? */
+
+ krb5_timeofday (Z_krb5_ctx, &sec);
+ krb5_free_cred_contents(Z_krb5_ctx, &creds_in); /* hope this is OK */
+ if ((result == 0) && (sec < creds->times.endtime)) {
+ krb5_free_creds(Z_krb5_ctx, creds);
+ return (1);
+ }
+ if (!result) krb5_free_creds(Z_krb5_ctx, creds);
return (0);
}
static Code_t
ticket_retrieve(realm)
- Realm *realm;
+ ZRealm *realm;
{
- int pid, retval = 0;
- KTEXT_ST authent;
+ int pid;
+ krb5_ccache ccache;
+ krb5_error_code result;
+ krb5_auth_context authctx;
+ krb5_creds creds_in, *creds;
get_tgt();
if (realm->child_pid)
/* Right idea. Basically, we haven't gotten it yet */
- return KRBET_KDC_AUTH_EXP;
-
- /* For Putrify */
- memset(&authent.dat,0,MAX_KTXT_LEN);
- authent.mbz=0;
+ return KRB5KRB_AP_ERR_TKT_EXPIRED;
if (realm->have_tkt) {
- retval = krb_mk_req(&authent, SERVER_SERVICE, SERVER_INSTANCE,
- realm->name, 0);
- if (retval == KSUCCESS) {
- return retval;
+ /* Get a pointer to the default ccache. We don't need to free this. */
+ result = krb5_cc_default(Z_krb5_ctx, &ccache);
+
+ /* GRRR. There's no allocator or constructor for krb5_creds */
+ /* GRRR. It would be nice if this API were documented at all */
+ memset(&creds_in, 0, sizeof(creds_in));
+
+ if (!result)
+ result = krb5_cc_get_principal(Z_krb5_ctx, ccache, &creds_in.client);
+ /* construct the service principal */
+ if (!result)
+ result = krb5_build_principal(Z_krb5_ctx, &creds_in.server,
+ strlen(realm->name), realm->name,
+ SERVER_KRB5_SERVICE, SERVER_INSTANCE,
+ 0);
+
+ /* HOLDING: creds_in.server */
+
+ /* look up or get the credentials we need */
+ if (!result)
+ result = krb5_get_credentials(Z_krb5_ctx, 0 /* flags */, ccache,
+ &creds_in, &creds);
+ krb5_cc_close(Z_krb5_ctx, ccache);
+ krb5_free_cred_contents(Z_krb5_ctx, &creds_in); /* hope this is OK */
+ if (!result) {
+ krb5_free_creds(Z_krb5_ctx, creds);
+ return 0;
}
} else {
syslog(LOG_ERR, "tkt_rtrv: don't have ticket, but have no child");
#endif
#endif
+ syslog(LOG_INFO, "tkt_rtrv running for %s", realm->name);
while (1) {
- retval = krb_mk_req(&authent, SERVER_SERVICE, SERVER_INSTANCE,
- realm->name, 0);
- if (retval == KSUCCESS)
+ /* Get a pointer to the default ccache. We don't need to free this. */
+ result = krb5_cc_default(Z_krb5_ctx, &ccache);
+
+ /* GRRR. There's no allocator or constructor for krb5_creds */
+ /* GRRR. It would be nice if this API were documented at all */
+ memset(&creds_in, 0, sizeof(creds_in));
+
+ if (!result)
+ result = krb5_cc_get_principal(Z_krb5_ctx, ccache, &creds_in.client);
+ /* construct the service principal */
+ if (!result)
+ result = krb5_build_principal(Z_krb5_ctx, &creds_in.server,
+ strlen(realm->name), realm->name,
+ SERVER_KRB5_SERVICE, SERVER_INSTANCE,
+ 0);
+
+ /* HOLDING: creds_in.server */
+
+ /* look up or get the credentials we need */
+ if (!result)
+ result = krb5_get_credentials(Z_krb5_ctx, 0 /* flags */, ccache,
+ &creds_in, &creds);
+ krb5_cc_close(Z_krb5_ctx, ccache);
+ krb5_free_cred_contents(Z_krb5_ctx, &creds_in); /* hope this is OK */
+ if (!result) {
+ krb5_free_creds(Z_krb5_ctx, creds);
+ syslog(LOG_INFO, "tkt_rtrv succeeded for %s", realm->name);
exit(0);
+ }
/* Sleep a little while before retrying */
sleep(30);
realm->child_pid = pid;
realm->have_tkt = 0;
- syslog(LOG_WARNING, "tkt_rtrv: %s: %s", realm->name,
- krb_err_txt[retval]);
- return (retval+krb_err_base);
+ syslog(LOG_WARNING, "tkt_rtrv: %s: %d", realm->name,
+ result);
+ return (result);
}
}
#endif /* HAVE_KRB4 */
projects / 1ts-debian.git / blobdiff