diff options
| author | Tom Yu <tlyu@mit.edu> | 2009-10-31 00:48:38 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2009-10-31 00:48:38 +0000 |
| commit | 02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b (patch) | |
| tree | 61b9147863cd8be3eff63903dc36cae168254bd5 /src/kadmin/server | |
| parent | 162ab371748cba0cc6f172419bd6e71fa04bb878 (diff) | |
make mark-cstyle
make reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin/server')
| -rw-r--r-- | src/kadmin/server/kadm_rpc_svc.c | 28 | ||||
| -rw-r--r-- | src/kadmin/server/misc.c | 241 | ||||
| -rw-r--r-- | src/kadmin/server/misc.h | 63 | ||||
| -rw-r--r-- | src/kadmin/server/network.c | 1799 | ||||
| -rw-r--r-- | src/kadmin/server/ovsec_kadmd.c | 1342 | ||||
| -rw-r--r-- | src/kadmin/server/schpw.c | 431 | ||||
| -rw-r--r-- | src/kadmin/server/server_stubs.c | 1645 |
7 files changed, 2777 insertions, 2772 deletions
diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index 68d8af497a..9b556e9253 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -28,7 +28,7 @@ static int check_rpcsec_auth(struct svc_req *); /* * Function: kadm_1 - * + * * Purpose: RPC proccessing procedure. * originally generated from rpcgen * @@ -79,36 +79,36 @@ void kadm_1(rqstp, transp) svcerr_weakauth(transp); return; } - + switch (rqstp->rq_proc) { case NULLPROC: (void) svc_sendreply(transp, xdr_void, (char *)NULL); return; - + case CREATE_PRINCIPAL: xdr_argument = xdr_cprinc_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) create_principal_2_svc; break; - + case DELETE_PRINCIPAL: xdr_argument = xdr_dprinc_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) delete_principal_2_svc; break; - + case MODIFY_PRINCIPAL: xdr_argument = xdr_mprinc_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) modify_principal_2_svc; break; - + case RENAME_PRINCIPAL: xdr_argument = xdr_rprinc_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) rename_principal_2_svc; break; - + case GET_PRINCIPAL: xdr_argument = xdr_gprinc_arg; xdr_result = xdr_gprinc_ret; @@ -120,7 +120,7 @@ void kadm_1(rqstp, transp) xdr_result = xdr_gprincs_ret; local = (char *(*)()) get_princs_2_svc; break; - + case CHPASS_PRINCIPAL: xdr_argument = xdr_chpass_arg; xdr_result = xdr_generic_ret; @@ -138,31 +138,31 @@ void kadm_1(rqstp, transp) xdr_result = xdr_generic_ret; local = (char *(*)()) setkey_principal_2_svc; break; - + case CHRAND_PRINCIPAL: xdr_argument = xdr_chrand_arg; xdr_result = xdr_chrand_ret; local = (char *(*)()) chrand_principal_2_svc; break; - + case CREATE_POLICY: xdr_argument = xdr_cpol_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) create_policy_2_svc; break; - + case DELETE_POLICY: xdr_argument = xdr_dpol_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) delete_policy_2_svc; break; - + case MODIFY_POLICY: xdr_argument = xdr_mpol_arg; xdr_result = xdr_generic_ret; local = (char *(*)()) modify_policy_2_svc; break; - + case GET_POLICY: xdr_argument = xdr_gpol_arg; xdr_result = xdr_gpol_ret; @@ -174,7 +174,7 @@ void kadm_1(rqstp, transp) xdr_result = xdr_gpols_ret; local = (char *(*)()) get_pols_2_svc; break; - + case GET_PRIVS: xdr_argument = xdr_u_int32; xdr_result = xdr_getprivs_ret; diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c index 1725fbf7d7..375fbd1514 100644 --- a/src/kadmin/server/misc.c +++ b/src/kadmin/server/misc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -11,109 +12,109 @@ /* * Function: chpass_principal_wrapper_3 - * + * * Purpose: wrapper to kadm5_chpass_principal that checks to see if - * pw_min_life has been reached. if not it returns an error. - * otherwise it calls kadm5_chpass_principal + * pw_min_life has been reached. if not it returns an error. + * otherwise it calls kadm5_chpass_principal * * Arguments: - * principal (input) krb5_principals whose password we are - * changing - * keepold (input) whether to preserve old keys - * n_ks_tuple (input) the number of key-salt tuples in ks_tuple - * ks_tuple (input) array of tuples indicating the caller's - * requested enctypes/salttypes - * password (input) password we are going to change to. - * <return value> 0 on success error code on failure. + * principal (input) krb5_principals whose password we are + * changing + * keepold (input) whether to preserve old keys + * n_ks_tuple (input) the number of key-salt tuples in ks_tuple + * ks_tuple (input) array of tuples indicating the caller's + * requested enctypes/salttypes + * password (input) password we are going to change to. + * <return value> 0 on success error code on failure. * * Requires: - * kadm5_init to have been run. - * + * kadm5_init to have been run. + * * Effects: - * calls kadm5_chpass_principal which changes the kdb and the - * the admin db. + * calls kadm5_chpass_principal which changes the kdb and the + * the admin db. * */ kadm5_ret_t chpass_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *password) + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + char *password) { - kadm5_ret_t ret; + kadm5_ret_t ret; ret = check_min_life(server_handle, principal, NULL, 0); if (ret) - return ret; + return ret; return kadm5_chpass_principal_3(server_handle, principal, - keepold, n_ks_tuple, ks_tuple, - password); + keepold, n_ks_tuple, ks_tuple, + password); } /* * Function: randkey_principal_wrapper_3 - * + * * Purpose: wrapper to kadm5_randkey_principal which checks the - * password's min. life. + * password's min. life. * * Arguments: - * principal (input) krb5_principal whose password we are - * changing - * keepold (input) whether to preserve old keys - * n_ks_tuple (input) the number of key-salt tuples in ks_tuple - * ks_tuple (input) array of tuples indicating the caller's - * requested enctypes/salttypes - * key (output) new random key - * <return value> 0, error code on error. + * principal (input) krb5_principal whose password we are + * changing + * keepold (input) whether to preserve old keys + * n_ks_tuple (input) the number of key-salt tuples in ks_tuple + * ks_tuple (input) array of tuples indicating the caller's + * requested enctypes/salttypes + * key (output) new random key + * <return value> 0, error code on error. * * Requires: - * kadm5_init needs to be run - * + * kadm5_init needs to be run + * * Effects: - * calls kadm5_randkey_principal + * calls kadm5_randkey_principal * */ kadm5_ret_t randkey_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock **keys, int *n_keys) + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock **keys, int *n_keys) { - kadm5_ret_t ret; + kadm5_ret_t ret; ret = check_min_life(server_handle, principal, NULL, 0); if (ret) - return ret; + return ret; return kadm5_randkey_principal_3(server_handle, principal, - keepold, n_ks_tuple, ks_tuple, - keys, n_keys); + keepold, n_ks_tuple, ks_tuple, + keys, n_keys); } kadm5_ret_t schpw_util_wrapper(void *server_handle, - krb5_principal client, - krb5_principal target, - krb5_boolean initial_flag, - char *new_pw, char **ret_pw, - char *msg_ret, unsigned int msg_len) + krb5_principal client, + krb5_principal target, + krb5_boolean initial_flag, + char *new_pw, char **ret_pw, + char *msg_ret, unsigned int msg_len) { - kadm5_ret_t ret; - kadm5_server_handle_t handle = server_handle; - krb5_boolean access_granted; - krb5_boolean self; + kadm5_ret_t ret; + kadm5_server_handle_t handle = server_handle; + krb5_boolean access_granted; + krb5_boolean self; /* * If no target is explicitly provided, then the target principal * is the client principal. */ if (target == NULL) - target = client; + target = client; /* * A principal can always change its own password, as long as it @@ -122,32 +123,32 @@ schpw_util_wrapper(void *server_handle, */ self = krb5_principal_compare(handle->context, client, target); if (self) { - ret = check_min_life(server_handle, target, msg_ret, msg_len); - if (ret != 0) - return ret; + ret = check_min_life(server_handle, target, msg_ret, msg_len); + if (ret != 0) + return ret; - access_granted = initial_flag; + access_granted = initial_flag; } else - access_granted = FALSE; + access_granted = FALSE; if (!access_granted && - kadm5int_acl_check_krb(handle->context, client, - ACL_CHANGEPW, target, NULL)) { - /* - * Otherwise, principals with appropriate privileges can change - * any password - */ - access_granted = TRUE; + kadm5int_acl_check_krb(handle->context, client, + ACL_CHANGEPW, target, NULL)) { + /* + * Otherwise, principals with appropriate privileges can change + * any password + */ + access_granted = TRUE; } if (access_granted) { - ret = kadm5_chpass_principal_util(server_handle, - target, - new_pw, ret_pw, - msg_ret, msg_len); + ret = kadm5_chpass_principal_util(server_handle, + target, + new_pw, ret_pw, + msg_ret, msg_len); } else { - ret = KADM5_AUTH_CHANGEPW; - strlcpy(msg_ret, "Unauthorized request", msg_len); + ret = KADM5_AUTH_CHANGEPW; + strlcpy(msg_ret, "Unauthorized request", msg_len); } return ret; @@ -155,60 +156,60 @@ schpw_util_wrapper(void *server_handle, kadm5_ret_t check_min_life(void *server_handle, krb5_principal principal, - char *msg_ret, unsigned int msg_len) + char *msg_ret, unsigned int msg_len) { - krb5_int32 now; - kadm5_ret_t ret; - kadm5_policy_ent_rec pol; - kadm5_principal_ent_rec princ; - kadm5_server_handle_t handle = server_handle; + krb5_int32 now; + kadm5_ret_t ret; + kadm5_policy_ent_rec pol; + kadm5_principal_ent_rec princ; + kadm5_server_handle_t handle = server_handle; if (msg_ret != NULL) - *msg_ret = '\0'; + *msg_ret = '\0'; ret = krb5_timeofday(handle->context, &now); if (ret) - return ret; + return ret; - ret = kadm5_get_principal(handle->lhandle, principal, - &princ, KADM5_PRINCIPAL_NORMAL_MASK); - if(ret) - return ret; + ret = kadm5_get_principal(handle->lhandle, principal, + &princ, KADM5_PRINCIPAL_NORMAL_MASK); + if(ret) + return ret; if(princ.aux_attributes & KADM5_POLICY) { - if((ret=kadm5_get_policy(handle->lhandle, - princ.policy, &pol)) != KADM5_OK) { - (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return ret; - } - if((now - princ.last_pwd_change) < pol.pw_min_life && - !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - if (msg_ret != NULL) { - time_t until; - char *time_string, *ptr, *errstr; - - until = princ.last_pwd_change + pol.pw_min_life; - - time_string = ctime(&until); - errstr = error_message(CHPASS_UTIL_PASSWORD_TOO_SOON); - - if (strlen(errstr) + strlen(time_string) >= msg_len) { - *errstr = '\0'; - } else { - if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') - *ptr = '\0'; - snprintf(msg_ret, msg_len, errstr, time_string); - } - } - - (void) kadm5_free_policy_ent(handle->lhandle, &pol); - (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return KADM5_PASS_TOOSOON; - } - - ret = kadm5_free_policy_ent(handle->lhandle, &pol); - if (ret) { - (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return ret; + if((ret=kadm5_get_policy(handle->lhandle, + princ.policy, &pol)) != KADM5_OK) { + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return ret; + } + if((now - princ.last_pwd_change) < pol.pw_min_life && + !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { + if (msg_ret != NULL) { + time_t until; + char *time_string, *ptr, *errstr; + + until = princ.last_pwd_change + pol.pw_min_life; + + time_string = ctime(&until); + errstr = error_message(CHPASS_UTIL_PASSWORD_TOO_SOON); + + if (strlen(errstr) + strlen(time_string) >= msg_len) { + *errstr = '\0'; + } else { + if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') + *ptr = '\0'; + snprintf(msg_ret, msg_len, errstr, time_string); + } + } + + (void) kadm5_free_policy_ent(handle->lhandle, &pol); + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return KADM5_PASS_TOOSOON; + } + + ret = kadm5_free_policy_ent(handle->lhandle, &pol); + if (ret) { + (void) kadm5_free_principal_ent(handle->lhandle, &princ); + return ret; } } diff --git a/src/kadmin/server/misc.h b/src/kadmin/server/misc.h index 073f6ff105..10e6054dbb 100644 --- a/src/kadmin/server/misc.h +++ b/src/kadmin/server/misc.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1994 OpenVision Technologies, Inc., All Rights Reserved * @@ -7,51 +8,51 @@ #define _MISC_H 1 typedef struct _krb5_fulladdr { - krb5_address * address; - krb5_ui_4 port; + krb5_address * address; + krb5_ui_4 port; } krb5_fulladdr; void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data); + struct sockaddr_in *addr, char *data); int setup_gss_names(struct svc_req *, gss_buffer_desc *, - gss_buffer_desc *); + gss_buffer_desc *); kadm5_ret_t chpass_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *password); + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + char *password); kadm5_ret_t randkey_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock **keys, int *n_keys); + krb5_principal principal, + krb5_boolean keepold, + int n_ks_tuple, + krb5_key_salt_tuple *ks_tuple, + krb5_keyblock **keys, int *n_keys); kadm5_ret_t schpw_util_wrapper(void *server_handle, krb5_principal client, - krb5_principal target, krb5_boolean initial_flag, - char *new_pw, char **ret_pw, - char *msg_ret, unsigned int msg_len); + krb5_principal target, krb5_boolean initial_flag, + char *new_pw, char **ret_pw, + char *msg_ret, unsigned int msg_len); kadm5_ret_t check_min_life(void *server_handle, krb5_principal principal, - char *msg_ret, unsigned int msg_len); + char *msg_ret, unsigned int msg_len); -krb5_error_code process_chpw_request(krb5_context context, - void *server_handle, - char *realm, - krb5_keytab keytab, - krb5_fulladdr *local_faddr, - krb5_fulladdr *remote_faddr, - krb5_data *req, krb5_data *rep); +krb5_error_code process_chpw_request(krb5_context context, + void *server_handle, + char *realm, + krb5_keytab keytab, + krb5_fulladdr *local_faddr, + krb5_fulladdr *remote_faddr, + krb5_data *req, krb5_data *rep); void kadm_1(struct svc_req *, SVCXPRT *); void krb5_iprop_prog_1(struct svc_req *, SVCXPRT *); @@ -60,7 +61,7 @@ void trunc_name(size_t *len, char **dots); int gss_to_krb5_name_1(struct svc_req *rqstp, krb5_context ctx, gss_name_t gss_name, - krb5_principal *princ, gss_buffer_t gss_str); + krb5_principal *princ, gss_buffer_t gss_str); extern volatile int signal_request_exit; @@ -69,7 +70,7 @@ extern volatile int signal_request_hup; void reset_db(void); void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data); + struct sockaddr_in *addr, char *data); /* network.c */ krb5_error_code setup_network(void *handle, const char *prog); @@ -77,13 +78,13 @@ krb5_error_code listen_and_process(void *handle, const char *prog); krb5_error_code closedown_network(void *handle, const char *prog); -void +void krb5_iprop_prog_1(struct svc_req *rqstp, SVCXPRT *transp); -kadm5_ret_t +kadm5_ret_t kiprop_get_adm_host_srv_name(krb5_context, - const char *, - char **); + const char *, + char **); #endif /* _MISC_H */ diff --git a/src/kadmin/server/network.c b/src/kadmin/server/network.c index df3f01cf06..5dd7f2e02e 100644 --- a/src/kadmin/server/network.c +++ b/src/kadmin/server/network.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * kadmin/server/network.c * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Network code for Kerberos v5 kadmin server (based on KDC code). */ @@ -61,7 +62,7 @@ #endif #ifdef HAVE_SYS_FILIO_H -#include <sys/filio.h> /* FIONBIO */ +#include <sys/filio.h> /* FIONBIO */ #endif #include "fake-addrinfo.h" @@ -75,15 +76,15 @@ set_sa_port(struct sockaddr *addr, int port) { switch (addr->sa_family) { case AF_INET: - sa2sin(addr)->sin_port = port; - break; + sa2sin(addr)->sin_port = port; + break; #ifdef KRB5_USE_INET6 case AF_INET6: - sa2sin6(addr)->sin6_port = port; - break; + sa2sin6(addr)->sin6_port = port; + break; #endif default: - break; + break; } } @@ -92,13 +93,13 @@ static int ipv6_enabled() #ifdef KRB5_USE_INET6 static int result = -1; if (result == -1) { - int s; - s = socket(AF_INET6, SOCK_STREAM, 0); - if (s >= 0) { - result = 1; - close(s); - } else - result = 0; + int s; + s = socket(AF_INET6, SOCK_STREAM, 0); + if (s >= 0) { + result = 1; + close(s); + } else + result = 0; } return result; #else @@ -139,21 +140,21 @@ set_pktinfo(int sock, int family) switch (family) { #if defined(IP_PKTINFO) && defined(HAVE_STRUCT_IN_PKTINFO) case AF_INET: - proto = IPPROTO_IP; - option = IP_RECVPKTINFO; - break; + proto = IPPROTO_IP; + option = IP_RECVPKTINFO; + break; #endif #if defined(IPV6_PKTINFO) && defined(HAVE_STRUCT_IN6_PKTINFO) case AF_INET6: - proto = IPPROTO_IPV6; - option = IPV6_RECVPKTINFO; - break; + proto = IPPROTO_IPV6; + option = IPV6_RECVPKTINFO; + break; #endif default: - return EINVAL; + return EINVAL; } if (setsockopt(sock, proto, option, &sockopt, sizeof(sockopt))) - return errno; + return errno; return 0; } @@ -163,17 +164,17 @@ static const char *paddr (struct sockaddr *sa) static char buf[100]; char portbuf[10]; if (getnameinfo(sa, socklen(sa), - buf, sizeof(buf), portbuf, sizeof(portbuf), - NI_NUMERICHOST|NI_NUMERICSERV)) - strlcpy(buf, "<unprintable>", sizeof(buf)); + buf, sizeof(buf), portbuf, sizeof(portbuf), + NI_NUMERICHOST|NI_NUMERICSERV)) + strlcpy(buf, "<unprintable>", sizeof(buf)); else { - unsigned int len = sizeof(buf) - strlen(buf); - char *p = buf + strlen(buf); - if (len > 2+strlen(portbuf)) { - *p++ = '.'; - len--; - strncpy(p, portbuf, len); - } + unsigned int len = sizeof(buf) - strlen(buf); + char *p = buf + strlen(buf); + if (len > 2+strlen(portbuf)) { + *p++ = '.'; + len--; + strncpy(p, portbuf, len); + } } return buf; } @@ -192,31 +193,31 @@ struct connection { enum conn_type type; void (*service)(void *handle, struct connection *, const char *, int); union { - /* Type-specific information. */ - struct { - /* connection */ - struct sockaddr_storage addr_s; - socklen_t addrlen; - char addrbuf[56]; - krb5_fulladdr faddr; - krb5_address kaddr; - /* incoming */ - size_t bufsiz; - size_t offset; - char *buffer; - size_t msglen; - /* outgoing */ - krb5_data *response; - unsigned char lenbuf[4]; - sg_buf sgbuf[2]; - sg_buf *sgp; - int sgnum; - /* crude denial-of-service avoidance support */ - time_t start_time; - } tcp; - struct { - SVCXPRT *transp; - } rpc; + /* Type-specific information. */ + struct { + /* connection */ + struct sockaddr_storage addr_s; + socklen_t addrlen; + char addrbuf[56]; + krb5_fulladdr faddr; + krb5_address kaddr; + /* incoming */ + size_t bufsiz; + size_t offset; + char *buffer; + size_t msglen; + /* outgoing */ + krb5_data *response; + unsigned char lenbuf[4]; + sg_buf sgbuf[2]; + sg_buf *sgp; + int sgnum; + /* crude denial-of-service avoidance support */ + time_t start_time; + } tcp; + struct { + SVCXPRT *transp; + } rpc; } u; }; @@ -226,47 +227,47 @@ struct connection { /* Start at the top and work down -- this should allow for deletions without disrupting the iteration, since we delete by overwriting the element to be removed with the last element. */ -#define FOREACH_ELT(set,idx,vvar) \ - for (idx = set.n-1; idx >= 0 && (vvar = set.data[idx], 1); idx--) - -#define GROW_SET(set, incr, tmpptr) \ - (((int)(set.max + incr) < set.max \ - || (((size_t)((int)(set.max + incr) * sizeof(set.data[0])) \ - / sizeof(set.data[0])) \ - != (set.max + incr))) \ - ? 0 /* overflow */ \ - : ((tmpptr = realloc(set.data, \ - (int)(set.max + incr) * sizeof(set.data[0]))) \ - ? (set.data = tmpptr, set.max += incr, 1) \ - : 0)) +#define FOREACH_ELT(set,idx,vvar) \ + for (idx = set.n-1; idx >= 0 && (vvar = set.data[idx], 1); idx--) + +#define GROW_SET(set, incr, tmpptr) \ + (((int)(set.max + incr) < set.max \ + || (((size_t)((int)(set.max + incr) * sizeof(set.data[0])) \ + / sizeof(set.data[0])) \ + != (set.max + incr))) \ + ? 0 /* overflow */ \ + : ((tmpptr = realloc(set.data, \ + (int)(set.max + incr) * sizeof(set.data[0]))) \ + ? (set.data = tmpptr, set.max += incr, 1) \ + : 0)) /* 1 = success, 0 = failure */ -#define ADD(set, val, tmpptr) \ - ((set.n < set.max || GROW_SET(set, 10, tmpptr)) \ - ? (set.data[set.n++] = val, 1) \ - : 0) +#define ADD(set, val, tmpptr) \ + ((set.n < set.max || GROW_SET(set, 10, tmpptr)) \ + ? (set.data[set.n++] = val, 1) \ + : 0) -#define DEL(set, idx) \ - (set.data[idx] = set.data[--set.n], 0) +#define DEL(set, idx) \ + (set.data[idx] = set.data[--set.n], 0) -#define FREE_SET_DATA(set) \ - (free(set.data), set.data = 0, set.max = 0, set.n = 0) +#define FREE_SET_DATA(set) \ + (free(set.data), set.data = 0, set.max = 0, set.n = 0) /* Set<struct connection *> connections; */ static SET(struct connection *) connections; -#define n_sockets connections.n -#define conns connections.data +#define n_sockets connections.n +#define conns connections.data /* Set<u_short> udp_port_data, tcp_port_data; */ static SET(u_short) udp_port_data, tcp_port_data; -struct rpc_svc_data { - u_short port; - u_long prognum; - u_long versnum; - void (*dispatch)(); -}; + struct rpc_svc_data { + u_short port; + u_long prognum; + u_long versnum; + void (*dispatch)(); + }; static SET(struct rpc_svc_data) rpc_svc_data; @@ -277,60 +278,60 @@ static fd_set rpc_listenfds; static krb5_error_code add_udp_port(int port) { - int i; + int i; void *tmp; u_short val; u_short s_port = port; if (s_port != port) - return EINVAL; + return EINVAL; FOREACH_ELT (udp_port_data, i, val) - if (s_port == val) - return 0; + if (s_port == val) + return 0; if (!ADD(udp_port_data, s_port, tmp)) - return ENOMEM; + return ENOMEM; return 0; } static krb5_error_code add_tcp_port(int port) { - int i; + int i; void *tmp; u_short val; u_short s_port = port; if (s_port != port) - return EINVAL; + return EINVAL; FOREACH_ELT (tcp_port_data, i, val) - if (s_port == val) - return 0; + if (s_port == val) + return 0; if (!ADD(tcp_port_data, s_port, tmp)) - return ENOMEM; + return ENOMEM; return 0; } static krb5_error_code add_rpc_service(int port, u_long prognum, u_long versnum, - void (*dispatch)()) + void (*dispatch)()) { - int i; + int i; void *tmp; struct rpc_svc_data svc, val; svc.port = port; if (svc.port != port) - return EINVAL; + return EINVAL; svc.prognum = prognum; svc.versnum = versnum; svc.dispatch = dispatch; FOREACH_ELT (rpc_svc_data, i, val) { - if (val.port == port) - return 0; + if (val.port == port) + return 0; } if (!ADD(rpc_svc_data, svc, tmp)) - return ENOMEM; + return ENOMEM; return 0; } @@ -351,31 +352,31 @@ struct socksetup { static struct connection * add_fd (struct socksetup *data, int sock, enum conn_type conntype, - void (*service)(void *handle, struct connection *, const char *, int)) + void (*service)(void *handle, struct connection *, const char *, int)) { struct connection *newconn; void *tmp; #ifndef _WIN32 if (sock >= FD_SETSIZE) { - data->retval = EMFILE; /* XXX */ - com_err(data->prog, 0, - "file descriptor number %d too high", sock); - return 0; + data->retval = EMFILE; /* XXX */ + com_err(data->prog, 0, + "file descriptor number %d too high", sock); + return 0; } #endif newconn = (struct connection *)malloc(sizeof(*newconn)); if (newconn == NULL) { - data->retval = ENOMEM; - com_err(data->prog, ENOMEM, - "cannot allocate storage for connection info"); - return 0; + data->retval = ENOMEM; + com_err(data->prog, ENOMEM, + "cannot allocate storage for connection info"); + return 0; } if (!ADD(connections, newconn, tmp)) { - data->retval = ENOMEM; - com_err(data->prog, ENOMEM, "cannot save socket info"); - free(newconn); - return 0; + data->retval = ENOMEM; + com_err(data->prog, ENOMEM, "cannot save socket info"); + free(newconn); + return 0; } memset(newconn, 0, sizeof(*newconn)); @@ -395,7 +396,7 @@ static struct connection * add_udp_fd (struct socksetup *data, int sock, int pktinfo) { return add_fd(data, sock, pktinfo ? CONN_UDP_PKTINFO : CONN_UDP, - process_packet); + process_packet); } static struct connection * @@ -417,10 +418,10 @@ delete_fd (struct connection *xconn) int i; FOREACH_ELT(connections, i, conn) - if (conn == xconn) { - DEL(connections, i); - break; - } + if (conn == xconn) { + DEL(connections, i); + break; + } free(xconn); } @@ -431,22 +432,22 @@ add_rpc_listener_fd (struct socksetup *data, struct rpc_svc_data *svc, int sock) conn = add_fd(data, sock, CONN_RPC_LISTENER, accept_rpc_connection); if (conn == NULL) - return NULL; + return NULL; conn->u.rpc.transp = svctcp_create(sock, 0, 0); if (conn->u.rpc.transp == NULL) { - krb5_klog_syslog(LOG_ERR, "Cannot create RPC service: %s; continuing", - strerror(errno)); - delete_fd(conn); - return NULL; + krb5_klog_syslog(LOG_ERR, "Cannot create RPC service: %s; continuing", + strerror(errno)); + delete_fd(conn); + return NULL; } if (!svc_register(conn->u.rpc.transp, svc->prognum, svc->versnum, - svc->dispatch, 0)) { - krb5_klog_syslog(LOG_ERR, "Cannot register RPC service: %s; continuing", - strerror(errno)); - delete_fd(conn); - return NULL; + svc->dispatch, 0)) { + krb5_klog_syslog(LOG_ERR, "Cannot register RPC service: %s; continuing", + strerror(errno)); + delete_fd(conn); + return NULL; } return conn; @@ -487,60 +488,60 @@ setup_a_tcp_listener(struct socksetup *data, struct sockaddr *addr) sock = socket(addr->sa_family, SOCK_STREAM, 0); if (sock == -1) { - com_err(data->prog, errno, "Cannot create TCP server socket on %s", - paddr(addr)); - return -1; + com_err(data->prog, errno, "Cannot create TCP server socket on %s", + paddr(addr)); + return -1; } set_cloexec_fd(sock); #ifndef _WIN32 if (sock >= FD_SETSIZE) { - close(sock); - com_err(data->prog, 0, "TCP socket fd number %d (for %s) too high", - sock, paddr(addr)); - return -1; + close(sock); + com_err(data->prog, 0, "TCP socket fd number %d (for %s) too high", + sock, paddr(addr)); + return -1; } #endif if (setreuseaddr(sock, 1) < 0) - com_err(data->prog, errno, - "Cannot enable SO_REUSEADDR on fd %d", sock); + com_err(data->prog, errno, + "Cannot enable SO_REUSEADDR on fd %d", sock); #ifdef KRB5_USE_INET6 if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY - if (setv6only(sock, 1)) - com_err(data->prog, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", - sock); - else - com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", - sock); + if (setv6only(sock, 1)) + com_err(data->prog, errno, "setsockopt(%d,IPV6_V6ONLY,1) failed", + sock); + else + com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", + sock); #else - krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); + krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); #endif /* IPV6_V6ONLY */ } #endif /* KRB5_USE_INET6 */ if (bind(sock, addr, socklen(addr)) == -1) { - com_err(data->prog, errno, - "Cannot bind TCP server socket on %s", paddr(addr)); - close(sock); - return -1; + com_err(data->prog, errno, + "Cannot bind TCP server socket on %s", paddr(addr)); + close(sock); + return -1; } if (listen(sock, 5) < 0) { - com_err(data->prog, errno, "Cannot listen on TCP server socket on %s", - paddr(addr)); - close(sock); - return -1; + com_err(data->prog, errno, "Cannot listen on TCP server socket on %s", + paddr(addr)); + close(sock); + return -1; } if (setnbio(sock)) { - com_err(data->prog, errno, - "cannot set listening tcp socket on %s non-blocking", - paddr(addr)); - close(sock); - return -1; + com_err(data->prog, errno, + "cannot set listening tcp socket on %s non-blocking", + paddr(addr)); + close(sock); + return -1; } if (setnolinger(sock)) { - com_err(data->prog, errno, "disabling SO_LINGER on TCP socket on %s", - paddr(addr)); - close(sock); - return -1; + com_err(data->prog, errno, "disabling SO_LINGER on TCP socket on %s", + paddr(addr)); + close(sock); + return -1; } return sock; } @@ -553,27 +554,27 @@ setup_a_rpc_listener(struct socksetup *data, struct sockaddr *addr) sock = socket(addr->sa_family, SOCK_STREAM, 0); if (sock == -1) { - com_err(data->prog, errno, "Cannot create RPC server socket on %s", - paddr(addr)); - return -1; + com_err(data->prog, errno, "Cannot create RPC server socket on %s", + paddr(addr)); + return -1; } set_cloexec_fd(sock); #ifndef _WIN32 if (sock >= FD_SETSIZE) { - close(sock); - com_err(data->prog, 0, "RPC socket fd number %d (for %s) too high", - sock, paddr(addr)); - return -1; + close(sock); + com_err(data->prog, 0, "RPC socket fd number %d (for %s) too high", + sock, paddr(addr)); + return -1; } #endif if (setreuseaddr(sock, 1) < 0) - com_err(data->prog, errno, - "Cannot enable SO_REUSEADDR on fd %d", sock); + com_err(data->prog, errno, + "Cannot enable SO_REUSEADDR on fd %d", sock); if (bind(sock, addr, socklen(addr)) == -1) { - com_err(data->prog, errno, - "Cannot bind RPC server socket on %s", paddr(addr)); - close(sock); - return -1; + com_err(data->prog, errno, + "Cannot bind RPC server socket on %s", paddr(addr)); + close(sock); + return -1; } return sock; } @@ -604,58 +605,58 @@ setup_tcp_listener_ports(struct socksetup *data) #endif FOREACH_ELT (tcp_port_data, i, port) { - int s4, s6; - - set_sa_port((struct sockaddr *)&sin4, htons(port)); - if (!ipv6_enabled()) { - s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); - if (s4 < 0) - return -1; - s6 = -1; - } else { + int s4, s6; + + set_sa_port((struct sockaddr *)&sin4, htons(port)); + if (!ipv6_enabled()) { + s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); + if (s4 < 0) + return -1; + s6 = -1; + } else { #ifndef KRB5_USE_INET6 - abort(); + abort(); #else - s4 = s6 = -1; + s4 = s6 = -1; - set_sa_port((struct sockaddr *)&sin6, htons(port)); + set_sa_port((struct sockaddr *)&sin6, htons(port)); - s6 = setup_a_tcp_listener(data, (struct sockaddr *)&sin6); - if (s6 < 0) - return -1; + s6 = setup_a_tcp_listener(data, (struct sockaddr *)&sin6); + if (s6 < 0) + return -1; - s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); + s4 = setup_a_tcp_listener(data, (struct sockaddr *)&sin4); #endif /* KRB5_USE_INET6 */ - } - - /* Sockets are created, prepare to listen on them. */ - if (s4 >= 0) { - if (add_tcp_listener_fd(data, s4) == NULL) - close(s4); - else { - FD_SET(s4, &sstate.rfds); - if (s4 >= sstate.max) - sstate.max = s4 + 1; - krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", - s4, paddr((struct sockaddr *)&sin4)); - } - } + } + + /* Sockets are created, prepare to listen on them. */ + if (s4 >= 0) { + if (add_tcp_listener_fd(data, s4) == NULL) + close(s4); + else { + FD_SET(s4, &sstate.rfds); + if (s4 >= sstate.max) + sstate.max = s4 + 1; + krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", + s4, paddr((struct sockaddr *)&sin4)); + } + } #ifdef KRB5_USE_INET6 - if (s6 >= 0) { - if (add_tcp_listener_fd(data, s6) == NULL) { - close(s6); - s6 = -1; - } else { - FD_SET(s6, &sstate.rfds); - if (s6 >= sstate.max) - sstate.max = s6 + 1; - krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", - s6, paddr((struct sockaddr *)&sin6)); - } - if (s4 < 0) - krb5_klog_syslog(LOG_INFO, - "assuming IPv6 socket accepts IPv4"); - } + if (s6 >= 0) { + if (add_tcp_listener_fd(data, s6) == NULL) { + close(s6); + s6 = -1; + } else { + FD_SET(s6, &sstate.rfds); + if (s6 >= sstate.max) + sstate.max = s6 + 1; + krb5_klog_syslog(LOG_INFO, "listening on fd %d: tcp %s", + s6, paddr((struct sockaddr *)&sin6)); + } + if (s4 < 0) + krb5_klog_syslog(LOG_INFO, + "assuming IPv6 socket accepts IPv4"); + } #endif } return 0; @@ -676,23 +677,23 @@ setup_rpc_listener_ports(struct socksetup *data) sin4.sin_addr.s_addr = INADDR_ANY; FOREACH_ELT (rpc_svc_data, i, svc) { - int s4; - - set_sa_port((struct sockaddr *)&sin4, htons(svc.port)); - s4 = setup_a_rpc_listener(data, (struct sockaddr *)&sin4); - if (s4 < 0) - return -1; - else { - if (add_rpc_listener_fd(data, &svc, s4) == NULL) - close(s4); - else { - FD_SET(s4, &sstate.rfds); - if (s4 >= sstate.max) - sstate.max = s4 + 1; - krb5_klog_syslog(LOG_INFO, "listening on fd %d: rpc %s", - s4, paddr((struct sockaddr *)&sin4)); - } - } + int s4; + + set_sa_port((struct sockaddr *)&sin4, htons(svc.port)); + s4 = setup_a_rpc_listener(data, (struct sockaddr *)&sin4); + if (s4 < 0) + return -1; + else { + if (add_rpc_listener_fd(data, &svc, s4) == NULL) + close(s4); + else { + FD_SET(s4, &sstate.rfds); + if (s4 >= sstate.max) + sstate.max = s4 + 1; + krb5_klog_syslog(LOG_INFO, "listening on fd %d: rpc %s", + s4, paddr((struct sockaddr *)&sin4)); + } + } } FD_ZERO(&rpc_listenfds); rpc_listenfds = svc_fdset; @@ -712,39 +713,39 @@ union pktinfo { static int setup_udp_port_1(struct socksetup *data, struct sockaddr *addr, - char *haddrbuf, int pktinfo); + char *haddrbuf, int pktinfo); static void setup_udp_pktinfo_ports(struct socksetup *data) { #ifdef IP_PKTINFO { - struct sockaddr_in sa; - int r; + struct sockaddr_in sa; + int r; - memset(&sa, 0, sizeof(sa)); - sa.sin_family = AF_INET; + memset(&sa, 0, sizeof(sa)); + sa.sin_family = AF_INET; #ifdef HAVE_SA_LEN - sa.sin_len = sizeof(sa); + sa.sin_len = sizeof(sa); #endif - r = setup_udp_port_1(data, (struct sockaddr *) &sa, "0.0.0.0", 4); - if (r == 0) - data->udp_flags &= ~UDP_DO_IPV4; + r = setup_udp_port_1(data, (struct sockaddr *) &sa, "0.0.0.0", 4); + if (r == 0) + data->udp_flags &= ~UDP_DO_IPV4; } #endif #ifdef IPV6_PKTINFO { - struct sockaddr_in6 sa; - int r; + struct sockaddr_in6 sa; + int r; - memset(&sa, 0, sizeof(sa)); - sa.sin6_family = AF_INET6; + memset(&sa, 0, sizeof(sa)); + sa.sin6_family = AF_INET6; #ifdef HAVE_SA_LEN - sa.sin6_len = sizeof(sa); + sa.sin6_len = sizeof(sa); #endif - r = setup_udp_port_1(data, (struct sockaddr *) &sa, "::", 6); - if (r == 0) - data->udp_flags &= ~UDP_DO_IPV6; + r = setup_udp_port_1(data, (struct sockaddr *) &sa, "::", 6); + if (r == 0) + data->udp_flags &= ~UDP_DO_IPV6; } #endif } @@ -757,67 +758,67 @@ setup_udp_pktinfo_ports(struct socksetup *data) static int setup_udp_port_1(struct socksetup *data, struct sockaddr *addr, - char *haddrbuf, int pktinfo) + char *haddrbuf, int pktinfo) { int sock = -1, i, r; u_short port; FOREACH_ELT (udp_port_data, i, port) { - sock = socket (addr->sa_family, SOCK_DGRAM, 0); - if (sock == -1) { - data->retval = errno; - com_err(data->prog, data->retval, - "Cannot create server socket for port %d address %s", - port, haddrbuf); - return 1; - } - set_cloexec_fd(sock); + sock = socket (addr->sa_family, SOCK_DGRAM, 0); + if (sock == -1) { + data->retval = errno; + com_err(data->prog, data->retval, + "Cannot create server socket for port %d address %s", + port, haddrbuf); + return 1; + } + set_cloexec_fd(sock); #ifdef KRB5_USE_INET6 - if (addr->sa_family == AF_INET6) { + if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY - if (setv6only(sock, 1)) - com_err(data->prog, errno, - "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); - else - com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", - sock); + if (setv6only(sock, 1)) + com_err(data->prog, errno, + "setsockopt(%d,IPV6_V6ONLY,1) failed", sock); + else + com_err(data->prog, 0, "setsockopt(%d,IPV6_V6ONLY,1) worked", + sock); #else - krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); + krb5_klog_syslog(LOG_INFO, "no IPV6_V6ONLY socket option support"); #endif /* IPV6_V6ONLY */ - } + } #endif - set_sa_port(addr, htons(port)); - if (bind (sock, (struct sockaddr *)addr, socklen (addr)) == -1) { - data->retval = errno; - com_err(data->prog, data->retval, - "Cannot bind server socket to port %d address %s", - port, haddrbuf); - close(sock); - return 1; - } + set_sa_port(addr, htons(port)); + if (bind (sock, (struct sockaddr *)addr, socklen (addr)) == -1) { + data->retval = errno; + com_err(data->prog, data->retval, + "Cannot bind server socket to port %d address %s", + port, haddrbuf); + close(sock); + return 1; + } #if !(defined(CMSG_SPACE) && defined(HAVE_STRUCT_CMSGHDR) && (defined(IP_PKTINFO) || defined(IPV6_PKTINFO))) - assert(pktinfo == 0); + assert(pktinfo == 0); #endif - if (pktinfo) { - r = set_pktinfo(sock, addr->sa_family); - if (r) { - com_err(data->prog, r, - "Cannot request packet info for udp socket address %s port %d", - haddrbuf, port); - close(sock); - return 1; - } - } - krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s%s", sock, - paddr((struct sockaddr *)addr), - pktinfo ? " (pktinfo)" : ""); - if (add_udp_fd (data, sock, pktinfo) == 0) { - close(sock); - return 1; - } - FD_SET (sock, &sstate.rfds); - if (sock >= sstate.max) - sstate.max = sock + 1; + if (pktinfo) { + r = set_pktinfo(sock, addr->sa_family); + if (r) { + com_err(data->prog, r, + "Cannot request packet info for udp socket address %s port %d", + haddrbuf, port); + close(sock); + return 1; + } + } + krb5_klog_syslog (LOG_INFO, "listening on fd %d: udp %s%s", sock, + paddr((struct sockaddr *)addr), + pktinfo ? " (pktinfo)" : ""); + if (add_udp_fd (data, sock, pktinfo) == 0) { + close(sock); + return 1; + } + FD_SET (sock, &sstate.rfds); + if (sock >= sstate.max) + sstate.max = sock + 1; } return 0; } @@ -830,51 +831,51 @@ setup_udp_port(void *P_data, struct sockaddr *addr) int err; if (addr->sa_family == AF_INET && !(data->udp_flags & UDP_DO_IPV4)) - return 0; + return 0; #ifdef AF_INET6 if (addr->sa_family == AF_INET6 && !(data->udp_flags & UDP_DO_IPV6)) - return 0; + return 0; #endif err = getnameinfo(addr, socklen(addr), haddrbuf, sizeof(haddrbuf), - 0, 0, NI_NUMERICHOST); + 0, 0, NI_NUMERICHOST); if (err) - strlcpy(haddrbuf, "<unprintable>", sizeof(haddrbuf)); + strlcpy(haddrbuf, "<unprintable>", sizeof(haddrbuf)); switch (addr->sa_family) { case AF_INET: - break; + break; #ifdef AF_INET6 case AF_INET6: #ifdef KRB5_USE_INET6 - break; + break; #else - { - static int first = 1; - if (first) { - krb5_klog_syslog (LOG_INFO, "skipping local ipv6 addresses"); - first = 0; - } - return 0; - } + { + static int first = 1; + if (first) { + krb5_klog_syslog (LOG_INFO, "skipping local ipv6 addresses"); + first = 0; + } + return 0; + } #endif #endif #ifdef AF_LINK /* some BSD systems, AIX */ case AF_LINK: - return 0; + return 0; #endif #ifdef AF_DLI /* Direct Link Interface - DEC Ultrix/OSF1 link layer? */ case AF_DLI: - return 0; + return 0; #endif #ifdef AF_APPLETALK case AF_APPLETALK: - return 0; + return 0; #endif default: - krb5_klog_syslog (LOG_INFO, - "skipping unrecognized local address family %d", - addr->sa_family); - return 0; + krb5_klog_syslog (LOG_INFO, + "skipping unrecognized local address family %d", + addr->sa_family); + return 0; } return setup_udp_port_1(data, addr, haddrbuf, 0); } @@ -886,40 +887,40 @@ static void klog_handler(const void *data, size_t len) static int bufoffset; void *p; -#define flush_buf() \ - (bufoffset \ - ? (((buf[0] == 0 || buf[0] == '\n') \ - ? (fork()==0?abort():(void)0) \ - : (void)0), \ - krb5_klog_syslog(LOG_INFO, "%s", buf), \ - memset(buf, 0, sizeof(buf)), \ - bufoffset = 0) \ - : 0) +#define flush_buf() \ + (bufoffset \ + ? (((buf[0] == 0 || buf[0] == '\n') \ + ? (fork()==0?abort():(void)0) \ + : (void)0), \ + krb5_klog_syslog(LOG_INFO, "%s", buf), \ + memset(buf, 0, sizeof(buf)), \ + bufoffset = 0) \ + : 0) p = memchr(data, 0, len); if (p) - len = (const char *)p - (const char *)data; + len = (const char *)p - (const char *)data; scan_for_newlines: if (len == 0) - return; + return; p = memchr(data, '\n', len); if (p) { - if (p != data) - klog_handler(data, (size_t)((const char *)p - (const char *)data)); - flush_buf(); - len -= ((const char *)p - (const char *)data) + 1; - data = 1 + (const char *)p; - goto scan_for_newlines; + if (p != data) + klog_handler(data, (size_t)((const char *)p - (const char *)data)); + flush_buf(); + len -= ((const char *)p - (const char *)data) + 1; + data = 1 + (const char *)p; + goto scan_for_newlines; } else if (len > sizeof(buf) - 1 || len + bufoffset > sizeof(buf) - 1) { - size_t x = sizeof(buf) - len - 1; - klog_handler(data, x); - flush_buf(); - len -= x; - data = (const char *)data + x; - goto scan_for_newlines; + size_t x = sizeof(buf) - len - 1; + klog_handler(data, x); + flush_buf(); + len -= x; + data = (const char *)data + x; + goto scan_for_newlines; } else { - memcpy(buf + bufoffset, data, len); - bufoffset += len; + memcpy(buf + bufoffset, data, len); + bufoffset += len; } } #endif @@ -953,70 +954,70 @@ static char *rtm_type_name(int type) } static void process_routing_update(void *handle, struct connection *conn, - const char *prog, int selflags) + const char *prog, int selflags) { int n_read; struct rt_msghdr rtm; krb5_klog_syslog(LOG_INFO, "routing socket readable"); while ((n_read = read(conn->fd, &rtm, sizeof(rtm))) > 0) { - if (n_read < sizeof(rtm)) { - /* Quick hack to figure out if the interesting - fields are present in a short read. + if (n_read < sizeof(rtm)) { + /* Quick hack to figure out if the interesting + fields are present in a short read. - A short read seems to be normal for some message types. - Only complain if we don't have the critical initial - header fields. */ + A short read seems to be normal for some message types. + Only complain if we don't have the critical initial + header fields. */ #define RS(FIELD) (offsetof(struct rt_msghdr, FIELD) + sizeof(rtm.FIELD)) - if (n_read < RS(rtm_type) || - n_read < RS(rtm_version) || - n_read < RS(rtm_msglen)) { - krb5_klog_syslog(LOG_ERR, - "short read (%d/%d) from routing socket", - n_read, (int) sizeof(rtm)); - return; - } - } - krb5_klog_syslog(LOG_INFO, - "got routing msg type %d(%s) v%d", - rtm.rtm_type, rtm_type_name(rtm.rtm_type), - rtm.rtm_version); - if (rtm.rtm_msglen > sizeof(rtm)) { - /* It appears we get a partial message and the rest is - thrown away? */ - } else if (rtm.rtm_msglen != n_read) { - krb5_klog_syslog(LOG_ERR, - "read %d from routing socket but msglen is %d", - n_read, rtm.rtm_msglen); - } - switch (rtm.rtm_type) { - case RTM_ADD: - case RTM_DELETE: - case RTM_NEWADDR: - case RTM_DELADDR: - case RTM_IFINFO: - case RTM_OLDADD: - case RTM_OLDDEL: - krb5_klog_syslog(LOG_INFO, "reconfiguration needed"); - network_reconfiguration_needed = 1; - break; - case RTM_RESOLVE: + if (n_read < RS(rtm_type) || + n_read < RS(rtm_version) || + n_read < RS(rtm_msglen)) { + krb5_klog_syslog(LOG_ERR, + "short read (%d/%d) from routing socket", + n_read, (int) sizeof(rtm)); + return; + } + } + krb5_klog_syslog(LOG_INFO, + "got routing msg type %d(%s) v%d", + rtm.rtm_type, rtm_type_name(rtm.rtm_type), + rtm.rtm_version); + if (rtm.rtm_msglen > sizeof(rtm)) { + /* It appears we get a partial message and the rest is + thrown away? */ + } else if (rtm.rtm_msglen != n_read) { + krb5_klog_syslog(LOG_ERR, + "read %d from routing socket but msglen is %d", + n_read, rtm.rtm_msglen); + } + switch (rtm.rtm_type) { + case RTM_ADD: + case RTM_DELETE: + case RTM_NEWADDR: + case RTM_DELADDR: + case RTM_IFINFO: + case RTM_OLDADD: + case RTM_OLDDEL: + krb5_klog_syslog(LOG_INFO, "reconfiguration needed"); + network_reconfiguration_needed = 1; + break; + case RTM_RESOLVE: #ifdef RTM_NEWMADDR - case RTM_NEWMADDR: - case RTM_DELMADDR: + case RTM_NEWMADDR: + case RTM_DELMADDR: #endif - case RTM_MISS: - case RTM_REDIRECT: - case RTM_LOSING: - case RTM_GET: - /* Not interesting. */ - krb5_klog_syslog(LOG_DEBUG, "routing msg not interesting"); - break; - default: - krb5_klog_syslog(LOG_INFO, "unhandled routing message type, will reconfigure just for the fun of it"); - network_reconfiguration_needed = 1; - break; - } + case RTM_MISS: + case RTM_REDIRECT: + case RTM_LOSING: + case RTM_GET: + /* Not interesting. */ + krb5_klog_syslog(LOG_DEBUG, "routing msg not interesting"); + break; + default: + krb5_klog_syslog(LOG_INFO, "unhandled routing message type, will reconfigure just for the fun of it"); + network_reconfiguration_needed = 1; + break; + } } } @@ -1025,14 +1026,14 @@ setup_routing_socket(struct socksetup *data) { int sock = socket(PF_ROUTE, SOCK_RAW, 0); if (sock < 0) { - int e = errno; - krb5_klog_syslog(LOG_INFO, "couldn't set up routing socket: %s", - strerror(e)); + int e = errno; + krb5_klog_syslog(LOG_INFO, "couldn't set up routing socket: %s", + strerror(e)); } else { - krb5_klog_syslog(LOG_INFO, "routing socket is fd %d", sock); - add_fd(data, sock, CONN_ROUTING, process_routing_update); - setnbio(sock); - FD_SET(sock, &sstate.rfds); + krb5_klog_syslog(LOG_INFO, "routing socket is fd %d", sock); + add_fd(data, sock, CONN_ROUTING, process_routing_update); + setnbio(sock); + FD_SET(sock, &sstate.rfds); } } #endif @@ -1058,25 +1059,25 @@ setup_network(void *handle, const char *prog) retval = add_udp_port(server_handle->params.kpasswd_port); if (retval) - return retval; + return retval; retval = add_tcp_port(server_handle->params.kpasswd_port); if (retval) - return retval; + return retval; retval = add_rpc_service(server_handle->params.kadmind_port, - KADM, KADMVERS, - kadm_1); + KADM, KADMVERS, + kadm_1); if (retval) - return retval; + return retval; #ifndef DISABLE_IPROP if (server_handle->params.iprop_enabled) { - retval = add_rpc_service(server_handle->params.iprop_port, - KRB5_IPROP_PROG, KRB5_IPROP_VERS, - krb5_iprop_prog_1); - if (retval) - return retval; + retval = add_rpc_service(server_handle->params.iprop_port, + KRB5_IPROP_PROG, KRB5_IPROP_VERS, + krb5_iprop_prog_1); + if (retval) + return retval; } #endif /* DISABLE_IPROP */ @@ -1093,16 +1094,16 @@ setup_network(void *handle, const char *prog) setup_data.udp_flags = UDP_DO_IPV4 | UDP_DO_IPV6; setup_udp_pktinfo_ports(&setup_data); if (setup_data.udp_flags) { - if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { - return setup_data.retval; - } + if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) { + return setup_data.retval; + } } setup_tcp_listener_ports(&setup_data); setup_rpc_listener_ports(&setup_data); krb5_klog_syslog (LOG_INFO, "set up %d sockets", n_sockets); if (n_sockets == 0) { - com_err(prog, 0, "no sockets set up?"); - exit (1); + com_err(prog, 0, "no sockets set up?"); + exit (1); } return 0; @@ -1112,45 +1113,45 @@ static void init_addr(krb5_fulladdr *faddr, struct sockaddr *sa) { switch (sa->sa_family) { case AF_INET: - faddr->address->addrtype = ADDRTYPE_INET; - faddr->address->length = 4; - faddr->address->contents = (krb5_octet *) &sa2sin(sa)->sin_addr; - faddr->port = ntohs(sa2sin(sa)->sin_port); - break; + faddr->address->addrtype = ADDRTYPE_INET; + faddr->address->length = 4; + faddr->address->contents = (krb5_octet *) &sa2sin(sa)->sin_addr; + faddr->port = ntohs(sa2sin(sa)->sin_port); + break; #ifdef KRB5_USE_INET6 case AF_INET6: - if (IN6_IS_ADDR_V4MAPPED(&sa2sin6(sa)->sin6_addr)) { - faddr->address->addrtype = ADDRTYPE_INET; - faddr->address->length = 4; - faddr->address->contents = 12 + (krb5_octet *) &sa2sin6(sa)->sin6_addr; - } else { - faddr->address->addrtype = ADDRTYPE_INET6; - faddr->address->length = 16; - faddr->address->contents = (krb5_octet *) &sa2sin6(sa)->sin6_addr; - } - faddr->port = ntohs(sa2sin6(sa)->sin6_port); - break; + if (IN6_IS_ADDR_V4MAPPED(&sa2sin6(sa)->sin6_addr)) { + faddr->address->addrtype = ADDRTYPE_INET; + faddr->address->length = 4; + faddr->address->contents = 12 + (krb5_octet *) &sa2sin6(sa)->sin6_addr; + } else { + faddr->address->addrtype = ADDRTYPE_INET6; + faddr->address->length = 16; + faddr->address->contents = (krb5_octet *) &sa2sin6(sa)->sin6_addr; + } + faddr->port = ntohs(sa2sin6(sa)->sin6_port); + break; #endif default: - faddr->address->addrtype = -1; - faddr->address->length = 0; - faddr->address->contents = 0; - faddr->port = 0; - break; + faddr->address->addrtype = -1; + faddr->address->length = 0; + faddr->address->contents = 0; + faddr->port = 0; + break; } } static int recv_from_to(int s, void *buf, size_t len, int flags, - struct sockaddr *from, socklen_t *fromlen, - struct sockaddr *to, socklen_t *tolen) + struct sockaddr *from, socklen_t *fromlen, + struct sockaddr *to, socklen_t *tolen) { #if (!defined(IP_PKTINFO) && !defined(IPV6_PKTINFO)) || !defined(CMSG_SPACE) if (to && tolen) { - /* Clobber with something recognizeable in case we try to use - the address. */ - memset(to, 0x40, *tolen); - *tolen = 0; + /* Clobber with something recognizeable in case we try to use + the address. */ + memset(to, 0x40, *tolen); + *tolen = 0; } return recvfrom(s, buf, len, flags, from, fromlen); @@ -1162,7 +1163,7 @@ recv_from_to(int s, void *buf, size_t len, int flags, struct msghdr msg; if (!to || !tolen) - return recvfrom(s, buf, len, flags, from, fromlen); + return recvfrom(s, buf, len, flags, from, fromlen); /* Clobber with something recognizeable in case we can't extract the address but try to use it anyways. */ @@ -1180,7 +1181,7 @@ recv_from_to(int s, void *buf, size_t len, int flags, r = recvmsg(s, &msg, flags); if (r < 0) - return r; + return r; *fromlen = msg.msg_namelen; /* On Darwin (and presumably all *BSD with KAME stacks), @@ -1188,36 +1189,36 @@ recv_from_to(int s, void *buf, size_t len, int flags, 3542 recommends making this check, even though the (new) spec for CMSG_FIRSTHDR says it's supposed to do the check. */ if (msg.msg_controllen) { - cmsgptr = CMSG_FIRSTHDR(&msg); - while (cmsgptr) { + cmsgptr = CMSG_FIRSTHDR(&msg); + while (cmsgptr) { #ifdef IP_PKTINFO - if (cmsgptr->cmsg_level == IPPROTO_IP - && cmsgptr->cmsg_type == IP_PKTINFO - && *tolen >= sizeof(struct sockaddr_in)) { - struct in_pktinfo *pktinfo; - memset(to, 0, sizeof(struct sockaddr_in)); - pktinfo = (struct in_pktinfo *)CMSG_DATA(cmsgptr); - ((struct sockaddr_in *)to)->sin_addr = pktinfo->ipi_addr; - ((struct sockaddr_in *)to)->sin_family = AF_INET; - *tolen = sizeof(struct sockaddr_in); - return r; - } + if (cmsgptr->cmsg_level == IPPROTO_IP + && cmsgptr->cmsg_type == IP_PKTINFO + && *tolen >= sizeof(struct sockaddr_in)) { + struct in_pktinfo *pktinfo; + memset(to, 0, sizeof(struct sockaddr_in)); + pktinfo = (struct in_pktinfo *)CMSG_DATA(cmsgptr); + ((struct sockaddr_in *)to)->sin_addr = pktinfo->ipi_addr; + ((struct sockaddr_in *)to)->sin_family = AF_INET; + *tolen = sizeof(struct sockaddr_in); + return r; + } #endif #if defined(KRB5_USE_INET6) && defined(IPV6_PKTINFO)&& defined(HAVE_STRUCT_IN6_PKTINFO) - if (cmsgptr->cmsg_level == IPPROTO_IPV6 - && cmsgptr->cmsg_type == IPV6_PKTINFO - && *tolen >= sizeof(struct sockaddr_in6)) { - struct in6_pktinfo *pktinfo; - memset(to, 0, sizeof(struct sockaddr_in6)); - pktinfo = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); - ((struct sockaddr_in6 *)to)->sin6_addr = pktinfo->ipi6_addr; - ((struct sockaddr_in6 *)to)->sin6_family = AF_INET6; - *tolen = sizeof(struct sockaddr_in6); - return r; - } + if (cmsgptr->cmsg_level == IPPROTO_IPV6 + && cmsgptr->cmsg_type == IPV6_PKTINFO + && *tolen >= sizeof(struct sockaddr_in6)) { + struct in6_pktinfo *pktinfo; + memset(to, 0, sizeof(struct sockaddr_in6)); + pktinfo = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); + ((struct sockaddr_in6 *)to)->sin6_addr = pktinfo->ipi6_addr; + ((struct sockaddr_in6 *)to)->sin6_family = AF_INET6; + *tolen = sizeof(struct sockaddr_in6); + return r; + } #endif - cmsgptr = CMSG_NXTHDR(&msg, cmsgptr); - } + cmsgptr = CMSG_NXTHDR(&msg, cmsgptr); + } } /* No info about destination addr was available. */ *tolen = 0; @@ -1227,8 +1228,8 @@ recv_from_to(int s, void *buf, size_t len, int flags, static int send_to_from(int s, void *buf, size_t len, int flags, - const struct sockaddr *to, socklen_t tolen, - const struct sockaddr *from, socklen_t fromlen) + const struct sockaddr *to, socklen_t tolen, + const struct sockaddr *from, socklen_t fromlen) { #if (!defined(IP_PKTINFO) && !defined(IPV6_PKTINFO)) || !defined(CMSG_SPACE) return sendto(s, buf, len, flags, to, tolen); @@ -1240,14 +1241,14 @@ send_to_from(int s, void *buf, size_t len, int flags, if (from == 0 || fromlen == 0 || from->sa_family != to->sa_family) { use_sendto: - return sendto(s, buf, len, flags, to, tolen); + return sendto(s, buf, len, flags, to, tolen); } iov.iov_base = buf; iov.iov_len = len; /* Truncation? */ if (iov.iov_len != len) - return EINVAL; + return EINVAL; memset(cbuf, 0, sizeof(cbuf)); memset(&msg, 0, sizeof(msg)); msg.msg_name = (void *) to; @@ -1264,36 +1265,36 @@ send_to_from(int s, void *buf, size_t len, int flags, switch (from->sa_family) { #if defined(IP_PKTINFO) case AF_INET: - if (fromlen != sizeof(struct sockaddr_in)) - goto use_sendto; - cmsgptr->cmsg_level = IPPROTO_IP; - cmsgptr->cmsg_type = IP_PKTINFO; - cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); - { - struct in_pktinfo *p = (struct in_pktinfo *)CMSG_DATA(cmsgptr); - const struct sockaddr_in *from4 = (const struct sockaddr_in *)from; - p->ipi_spec_dst = from4->sin_addr; - } - msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); - break; + if (fromlen != sizeof(struct sockaddr_in)) + goto use_sendto; + cmsgptr->cmsg_level = IPPROTO_IP; + cmsgptr->cmsg_type = IP_PKTINFO; + cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); + { + struct in_pktinfo *p = (struct in_pktinfo *)CMSG_DATA(cmsgptr); + const struct sockaddr_in *from4 = (const struct sockaddr_in *)from; + p->ipi_spec_dst = from4->sin_addr; + } + msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); + break; #endif #if defined(KRB5_USE_INET6) && defined(IPV6_PKTINFO) && defined(HAVE_STRUCT_IN6_PKTINFO) case AF_INET6: - if (fromlen != sizeof(struct sockaddr_in6)) - goto use_sendto; - cmsgptr->cmsg_level = IPPROTO_IPV6; - cmsgptr->cmsg_type = IPV6_PKTINFO; - cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); - { - struct in6_pktinfo *p = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); - const struct sockaddr_in6 *from6 = (const struct sockaddr_in6 *)from; - p->ipi6_addr = from6->sin6_addr; - } - msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); - break; + if (fromlen != sizeof(struct sockaddr_in6)) + goto use_sendto; + cmsgptr->cmsg_level = IPPROTO_IPV6; + cmsgptr->cmsg_type = IPV6_PKTINFO; + cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); + { + struct in6_pktinfo *p = (struct in6_pktinfo *)CMSG_DATA(cmsgptr); + const struct sockaddr_in6 *from6 = (const struct sockaddr_in6 *)from; + p->ipi6_addr = from6->sin6_addr; + } + msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); + break; #endif default: - goto use_sendto; + goto use_sendto; } return sendmsg(s, &msg, flags); #endif @@ -1302,8 +1303,8 @@ send_to_from(int s, void *buf, size_t len, int flags, /* Dispatch routine for set/change password */ static krb5_error_code dispatch(void *handle, - struct sockaddr *local_saddr, krb5_fulladdr *remote_faddr, - krb5_data *request, krb5_data **response) + struct sockaddr *local_saddr, krb5_fulladdr *remote_faddr, + krb5_data *request, krb5_data **response) { krb5_error_code ret; krb5_keytab kt = NULL; @@ -1314,42 +1315,42 @@ dispatch(void *handle, *response = NULL; if (local_saddr == NULL) { - ret = krb5_os_localaddr(server_handle->context, &local_kaddrs); - if (ret != 0) - goto cleanup; + ret = krb5_os_localaddr(server_handle->context, &local_kaddrs); + if (ret != 0) + goto cleanup; - local_faddr.address = local_kaddrs[0]; - local_faddr.port = 0; + local_faddr.address = local_kaddrs[0]; + local_faddr.port = 0; } else { - local_faddr.address = &local_kaddr_buf; - init_addr(&local_faddr, local_saddr); + local_faddr.address = &local_kaddr_buf; + init_addr(&local_faddr, local_saddr); } ret = krb5_kt_resolve(server_handle->context, "KDB:", &kt); if (ret != 0) { - krb5_klog_syslog(LOG_ERR, "chpw: Couldn't open admin keytab %s", - krb5_get_error_message(server_handle->context, ret)); - goto cleanup; + krb5_klog_syslog(LOG_ERR, "chpw: Couldn't open admin keytab %s", + krb5_get_error_message(server_handle->context, ret)); + goto cleanup; } *response = (krb5_data *)malloc(sizeof(krb5_data)); if (*response == NULL) { - ret = ENOMEM; - goto cleanup; + ret = ENOMEM; + goto cleanup; } ret = process_chpw_request(server_handle->context, - handle, - server_handle->params.realm, - kt, - &local_faddr, - remote_faddr, - request, - *response); + handle, + server_handle->params.realm, + kt, + &local_faddr, + remote_faddr, + request, + *response); cleanup: if (local_kaddrs != NULL) - krb5_free_addresses(server_handle->context, local_kaddrs); + krb5_free_addresses(server_handle->context, local_kaddrs); krb5_kt_close(server_handle->context, kt); @@ -1357,8 +1358,8 @@ cleanup: } static void process_packet(void *handle, - struct connection *conn, const char *prog, - int selflags) + struct connection *conn, const char *prog, + int selflags) { int cc; socklen_t saddr_len, daddr_len; @@ -1376,40 +1377,40 @@ static void process_packet(void *handle, saddr_len = sizeof(saddr); daddr_len = sizeof(daddr); cc = recv_from_to(port_fd, pktbuf, sizeof(pktbuf), 0, - (struct sockaddr *)&saddr, &saddr_len, - (struct sockaddr *)&daddr, &daddr_len); + (struct sockaddr *)&saddr, &saddr_len, + (struct sockaddr *)&daddr, &daddr_len); if (cc == -1) { - if (errno != EINTR - /* This is how Linux indicates that a previous - transmission was refused, e.g., if the client timed out - before getting the response packet. */ - && errno != ECONNREFUSED - ) - com_err(prog, errno, "while receiving from network"); - return; + if (errno != EINTR + /* This is how Linux indicates that a previous + transmission was refused, e.g., if the client timed out + before getting the response packet. */ + && errno != ECONNREFUSED + ) + com_err(prog, errno, "while receiving from network"); + return; } if (!cc) - return; /* zero-length packet? */ + return; /* zero-length packet? */ #if 0 if (daddr_len > 0) { - char addrbuf[100]; - if (getnameinfo(ss2sa(&daddr), daddr_len, addrbuf, sizeof(addrbuf), - 0, 0, NI_NUMERICHOST)) - strlcpy(addrbuf, "?", sizeof(addrbuf)); - com_err(prog, 0, "pktinfo says local addr is %s", addrbuf); + char addrbuf[100]; + if (getnameinfo(ss2sa(&daddr), daddr_len, addrbuf, sizeof(addrbuf), + 0, 0, NI_NUMERICHOST)) + strlcpy(addrbuf, "?", sizeof(addrbuf)); + com_err(prog, 0, "pktinfo says local addr is %s", addrbuf); } #endif if (daddr_len == 0 && conn->type == CONN_UDP) { - /* If the PKTINFO option isn't set, this socket should be - bound to a specific local address. This info probably - should've been saved in our socket data structure at setup - time. */ - daddr_len = sizeof(daddr); - if (getsockname(port_fd, (struct sockaddr *)&daddr, &daddr_len) != 0) - daddr_len = 0; - /* On failure, keep going anyways. */ + /* If the PKTINFO option isn't set, this socket should be + bound to a specific local address. This info probably + should've been saved in our socket data structure at setup + time. */ + daddr_len = sizeof(daddr); + if (getsockname(port_fd, (struct sockaddr *)&daddr, &daddr_len) != 0) + daddr_len = 0; + /* On failure, keep going anyways. */ } request.length = cc; @@ -1418,28 +1419,28 @@ static void process_packet(void *handle, init_addr(&faddr, ss2sa(&saddr)); /* this address is in net order */ if ((retval = dispatch(handle, ss2sa(&daddr), &faddr, &request, &response))) { - com_err(prog, retval, "while dispatching (udp)"); - return; + com_err(prog, retval, "while dispatching (udp)"); + return; } if (response == NULL) - return; + return; cc = send_to_from(port_fd, response->data, (socklen_t) response->length, 0, - (struct sockaddr *)&saddr, saddr_len, - (struct sockaddr *)&daddr, daddr_len); + (struct sockaddr *)&saddr, saddr_len, + (struct sockaddr *)&daddr, daddr_len); if (cc == -1) { - char addrbuf[46]; + char addrbuf[46]; krb5_free_data(server_handle->context, response); - if (inet_ntop(((struct sockaddr *)&saddr)->sa_family, - addr.contents, addrbuf, sizeof(addrbuf)) == 0) { - strlcpy(addrbuf, "?", sizeof(addrbuf)); - } - com_err(prog, errno, "while sending reply to %s/%d", - addrbuf, faddr.port); - return; + if (inet_ntop(((struct sockaddr *)&saddr)->sa_family, + addr.contents, addrbuf, sizeof(addrbuf)) == 0) { + strlcpy(addrbuf, "?", sizeof(addrbuf)); + } + com_err(prog, errno, "while sending reply to %s/%d", + addrbuf, faddr.port); + return; } if (cc != response->length) { - com_err(prog, 0, "short reply write %d vs %d\n", - response->length, cc); + com_err(prog, 0, "short reply write %d vs %d\n", + response->length, cc); } krb5_free_data(server_handle->context, response); return; @@ -1459,31 +1460,31 @@ static int kill_lru_tcp_or_rpc_connection(void *handle, struct connection *newco krb5_klog_syslog(LOG_INFO, "too many connections"); FOREACH_ELT (connections, i, c) { - if (c->type != CONN_TCP && c->type != CONN_RPC) - continue; - if (c == newconn) - continue; + if (c->type != CONN_TCP && c->type != CONN_RPC) + continue; + if (c == newconn) + continue; #if 0 - krb5_klog_syslog(LOG_INFO, "fd %d started at %ld", c->fd, - c->u.tcp.start_time); + krb5_klog_syslog(LOG_INFO, "fd %d started at %ld", c->fd, + c->u.tcp.start_time); #endif - if (oldest_tcp == NULL - || oldest_tcp->u.tcp.start_time > c->u.tcp.start_time) - oldest_tcp = c; + if (oldest_tcp == NULL + || oldest_tcp->u.tcp.start_time > c->u.tcp.start_time) + oldest_tcp = c; } if (oldest_tcp != NULL) { - krb5_klog_syslog(LOG_INFO, "dropping %s fd %d from %s", - c->type == CONN_RPC ? "rpc" : "tcp", - oldest_tcp->fd, oldest_tcp->u.tcp.addrbuf); - fd = oldest_tcp->fd; - kill_tcp_or_rpc_connection(handle, oldest_tcp, 1); + krb5_klog_syslog(LOG_INFO, "dropping %s fd %d from %s", + c->type == CONN_RPC ? "rpc" : "tcp", + oldest_tcp->fd, oldest_tcp->u.tcp.addrbuf); + fd = oldest_tcp->fd; + kill_tcp_or_rpc_connection(handle, oldest_tcp, 1); } return fd; } static void accept_tcp_connection(void *handle, - struct connection *conn, const char *prog, - int selflags) + struct connection *conn, const char *prog, + int selflags) { int s; struct sockaddr_storage addr_s; @@ -1495,12 +1496,12 @@ static void accept_tcp_connection(void *handle, s = accept(conn->fd, addr, &addrlen); if (s < 0) - return; + return; set_cloexec_fd(s); #ifndef _WIN32 if (s >= FD_SETSIZE) { - close(s); - return; + close(s); + return; } #endif setnbio(s), setnolinger(s), setkeepalive(s); @@ -1510,26 +1511,26 @@ static void accept_tcp_connection(void *handle, newconn = add_tcp_data_fd(&sockdata, s); if (newconn == NULL) - return; + return; if (getnameinfo((struct sockaddr *)&addr_s, addrlen, - newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf), - tmpbuf, sizeof(tmpbuf), - NI_NUMERICHOST | NI_NUMERICSERV)) - strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf)); + newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf), + tmpbuf, sizeof(tmpbuf), + NI_NUMERICHOST | NI_NUMERICSERV)) + strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf)); else { - char *p, *end; - p = newconn->u.tcp.addrbuf; - end = p + sizeof(newconn->u.tcp.addrbuf); - p += strlen(p); - if (end - p > 2 + strlen(tmpbuf)) { - *p++ = '.'; - strlcpy(p, tmpbuf, end - p); - } + char *p, *end; + p = newconn->u.tcp.addrbuf; + end = p + sizeof(newconn->u.tcp.addrbuf); + p += strlen(p); + if (end - p > 2 + strlen(tmpbuf)) { + *p++ = '.'; + strlcpy(p, tmpbuf, end - p); + } } #if 0 krb5_klog_syslog(LOG_INFO, "accepted TCP connection on socket %d from %s", - s, newconn->u.tcp.addrbuf); + s, newconn->u.tcp.addrbuf); #endif newconn->u.tcp.addr_s = addr_s; @@ -1539,15 +1540,15 @@ static void accept_tcp_connection(void *handle, newconn->u.tcp.start_time = time(0); if (++tcp_or_rpc_data_counter > max_tcp_or_rpc_data_connections) - kill_lru_tcp_or_rpc_connection(handle, newconn); + kill_lru_tcp_or_rpc_connection(handle, newconn); if (newconn->u.tcp.buffer == 0) { - com_err(prog, errno, "allocating buffer for new TCP session from %s", - newconn->u.tcp.addrbuf); - delete_fd(newconn); - close(s); - tcp_or_rpc_data_counter--; - return; + com_err(prog, errno, "allocating buffer for new TCP session from %s", + newconn->u.tcp.addrbuf); + delete_fd(newconn); + close(s); + tcp_or_rpc_data_counter--; + return; } newconn->u.tcp.offset = 0; newconn->u.tcp.faddr.address = &newconn->u.tcp.kaddr; @@ -1557,7 +1558,7 @@ static void accept_tcp_connection(void *handle, FD_SET(s, &sstate.rfds); if (sstate.max <= s) - sstate.max = s + 1; + sstate.max = s + 1; } static void @@ -1569,37 +1570,37 @@ kill_tcp_or_rpc_connection(void *handle, struct connection *conn, int isForcedCl assert(conn->fd != -1); if (conn->u.tcp.response) - krb5_free_data(server_handle->context, conn->u.tcp.response); + krb5_free_data(server_handle->context, conn->u.tcp.response); if (conn->u.tcp.buffer) - free(conn->u.tcp.buffer); + free(conn->u.tcp.buffer); FD_CLR(conn->fd, &sstate.rfds); FD_CLR(conn->fd, &sstate.wfds); if (sstate.max == conn->fd + 1) - while (sstate.max > 0 - && ! FD_ISSET(sstate.max-1, &sstate.rfds) - && ! FD_ISSET(sstate.max-1, &sstate.wfds) - /* && ! FD_ISSET(sstate.max-1, &sstate.xfds) */ - ) - sstate.max--; + while (sstate.max > 0 + && ! FD_ISSET(sstate.max-1, &sstate.rfds) + && ! FD_ISSET(sstate.max-1, &sstate.wfds) + /* && ! FD_ISSET(sstate.max-1, &sstate.xfds) */ + ) + sstate.max--; /* In the non-forced case, the RPC runtime will close the descriptor for us */ if (conn->type == CONN_TCP || isForcedClose) { - close(conn->fd); + close(conn->fd); } /* For RPC connections, call into RPC runtime to flush out any internal state */ if (conn->type == CONN_RPC && isForcedClose) { - fd_set fds; + fd_set fds; - FD_ZERO(&fds); - FD_SET(conn->fd, &fds); + FD_ZERO(&fds); + FD_SET(conn->fd, &fds); - svc_getreqset(&fds); + svc_getreqset(&fds); - if (FD_ISSET(conn->fd, &svc_fdset)) { - krb5_klog_syslog(LOG_ERR, - "descriptor %d closed but still in svc_fdset", conn->fd); - } + if (FD_ISSET(conn->fd, &svc_fdset)) { + krb5_klog_syslog(LOG_ERR, + "descriptor %d closed but still in svc_fdset", conn->fd); + } } conn->fd = -1; @@ -1617,14 +1618,14 @@ make_toolong_error (void *handle, krb5_data **out) retval = krb5_us_timeofday(server_handle->context, &errpkt.stime, &errpkt.susec); if (retval) - return retval; + return retval; errpkt.error = KRB_ERR_FIELD_TOOLONG; retval = krb5_build_principal(server_handle->context, &errpkt.server, - strlen(server_handle->params.realm), - server_handle->params.realm, - "kadmin", "changepw", NULL); + strlen(server_handle->params.realm), + server_handle->params.realm, + "kadmin", "changepw", NULL); if (retval) - return retval; + return retval; errpkt.client = NULL; errpkt.cusec = 0; errpkt.ctime = 0; @@ -1634,11 +1635,11 @@ make_toolong_error (void *handle, krb5_data **out) errpkt.e_data.data = 0; scratch = malloc(sizeof(*scratch)); if (scratch == NULL) - return ENOMEM; + return ENOMEM; retval = krb5_mk_error(server_handle->context, &errpkt, scratch); if (retval) { - free(scratch); - return retval; + free(scratch); + return retval; } *out = scratch; @@ -1650,7 +1651,7 @@ queue_tcp_outgoing_response(struct connection *conn) { store_32_be(conn->u.tcp.response->length, conn->u.tcp.lenbuf); SG_SET(&conn->u.tcp.sgbuf[1], conn->u.tcp.response->data, - conn->u.tcp.response->length); + conn->u.tcp.response->length); conn->u.tcp.sgp = conn->u.tcp.sgbuf; conn->u.tcp.sgnum = 2; FD_SET(conn->fd, &sstate.wfds); @@ -1658,128 +1659,128 @@ queue_tcp_outgoing_response(struct connection *conn) static void process_tcp_connection(void *handle, - struct connection *conn, const char *prog, int selflags) + struct connection *conn, const char *prog, int selflags) { int isForcedClose = 1; /* not used now, but for completeness */ if (selflags & SSF_WRITE) { - ssize_t nwrote; - SOCKET_WRITEV_TEMP tmp; - - nwrote = SOCKET_WRITEV(conn->fd, conn->u.tcp.sgp, conn->u.tcp.sgnum, - tmp); - if (nwrote < 0) { - goto kill_tcp_connection; - } - if (nwrote == 0) { - /* eof */ - isForcedClose = 0; - goto kill_tcp_connection; - } - while (nwrote) { - sg_buf *sgp = conn->u.tcp.sgp; - if (nwrote < SG_LEN(sgp)) { - SG_ADVANCE(sgp, nwrote); - nwrote = 0; - } else { - nwrote -= SG_LEN(sgp); - conn->u.tcp.sgp++; - conn->u.tcp.sgnum--; - if (conn->u.tcp.sgnum == 0 && nwrote != 0) - abort(); - } - } - if (conn->u.tcp.sgnum == 0) { - /* finished sending */ - /* We should go back to reading, though if we sent a - FIELD_TOOLONG error in reply to a length with the high - bit set, RFC 4120 says we have to close the TCP - stream. */ - isForcedClose = 0; - goto kill_tcp_connection; - } + ssize_t nwrote; + SOCKET_WRITEV_TEMP tmp; + + nwrote = SOCKET_WRITEV(conn->fd, conn->u.tcp.sgp, conn->u.tcp.sgnum, + tmp); + if (nwrote < 0) { + goto kill_tcp_connection; + } + if (nwrote == 0) { + /* eof */ + isForcedClose = 0; + goto kill_tcp_connection; + } + while (nwrote) { + sg_buf *sgp = conn->u.tcp.sgp; + if (nwrote < SG_LEN(sgp)) { + SG_ADVANCE(sgp, nwrote); + nwrote = 0; + } else { + nwrote -= SG_LEN(sgp); + conn->u.tcp.sgp++; + conn->u.tcp.sgnum--; + if (conn->u.tcp.sgnum == 0 && nwrote != 0) + abort(); + } + } + if (conn->u.tcp.sgnum == 0) { + /* finished sending */ + /* We should go back to reading, though if we sent a + FIELD_TOOLONG error in reply to a length with the high + bit set, RFC 4120 says we have to close the TCP + stream. */ + isForcedClose = 0; + goto kill_tcp_connection; + } } else if (selflags & SSF_READ) { - /* Read message length and data into one big buffer, already - allocated at connect time. If we have a complete message, - we stop reading, so we should only be here if there is no - data in the buffer, or only an incomplete message. */ - size_t len; - ssize_t nread; - if (conn->u.tcp.offset < 4) { - /* msglen has not been computed */ - /* XXX Doing at least two reads here, letting the kernel - worry about buffering. It'll be faster when we add - code to manage the buffer here. */ - len = 4 - conn->u.tcp.offset; - nread = SOCKET_READ(conn->fd, - conn->u.tcp.buffer + conn->u.tcp.offset, len); - if (nread < 0) - /* error */ - goto kill_tcp_connection; - if (nread == 0) - /* eof */ - goto kill_tcp_connection; - conn->u.tcp.offset += nread; - if (conn->u.tcp.offset == 4) { - unsigned char *p = (unsigned char *)conn->u.tcp.buffer; - conn->u.tcp.msglen = load_32_be(p); - if (conn->u.tcp.msglen > conn->u.tcp.bufsiz - 4) { - krb5_error_code err; - /* message too big */ - krb5_klog_syslog(LOG_ERR, "TCP client %s wants %lu bytes, cap is %lu", - conn->u.tcp.addrbuf, (unsigned long) conn->u.tcp.msglen, - (unsigned long) conn->u.tcp.bufsiz - 4); - /* XXX Should return an error. */ - err = make_toolong_error (handle, &conn->u.tcp.response); - if (err) { - krb5_klog_syslog(LOG_ERR, - "error constructing KRB_ERR_FIELD_TOOLONG error! %s", - error_message(err)); - goto kill_tcp_connection; - } - goto have_response; - } - } - } else { - /* msglen known */ - krb5_data request; - krb5_error_code err; - struct sockaddr_storage local_saddr; - socklen_t local_saddrlen = sizeof(local_saddr); - struct sockaddr *local_saddrp = NULL; - - len = conn->u.tcp.msglen - (conn->u.tcp.offset - 4); - nread = SOCKET_READ(conn->fd, - conn->u.tcp.buffer + conn->u.tcp.offset, len); - if (nread < 0) - /* error */ - goto kill_tcp_connection; - if (nread == 0) - /* eof */ - goto kill_tcp_connection; - conn->u.tcp.offset += nread; - if (conn->u.tcp.offset < conn->u.tcp.msglen + 4) - return; - /* have a complete message, and exactly one message */ - request.length = conn->u.tcp.msglen; - request.data = conn->u.tcp.buffer + 4; - - if (getsockname(conn->fd, ss2sa(&local_saddr), &local_saddrlen) == 0) { - local_saddrp = ss2sa(&local_saddr); - } - - err = dispatch(handle, local_saddrp, &conn->u.tcp.faddr, - &request, &conn->u.tcp.response); - if (err) { - com_err(prog, err, "while dispatching (tcp)"); - goto kill_tcp_connection; - } - have_response: - queue_tcp_outgoing_response(conn); - FD_CLR(conn->fd, &sstate.rfds); - } + /* Read message length and data into one big buffer, already + allocated at connect time. If we have a complete message, + we stop reading, so we should only be here if there is no + data in the buffer, or only an incomplete message. */ + size_t len; + ssize_t nread; + if (conn->u.tcp.offset < 4) { + /* msglen has not been computed */ + /* XXX Doing at least two reads here, letting the kernel + worry about buffering. It'll be faster when we add + code to manage the buffer here. */ + len = 4 - conn->u.tcp.offset; + nread = SOCKET_READ(conn->fd, + conn->u.tcp.buffer + conn->u.tcp.offset, len); + if (nread < 0) + /* error */ + goto kill_tcp_connection; + if (nread == 0) + /* eof */ + goto kill_tcp_connection; + conn->u.tcp.offset += nread; + if (conn->u.tcp.offset == 4) { + unsigned char *p = (unsigned char *)conn->u.tcp.buffer; + conn->u.tcp.msglen = load_32_be(p); + if (conn->u.tcp.msglen > conn->u.tcp.bufsiz - 4) { + krb5_error_code err; + /* message too big */ + krb5_klog_syslog(LOG_ERR, "TCP client %s wants %lu bytes, cap is %lu", + conn->u.tcp.addrbuf, (unsigned long) conn->u.tcp.msglen, + (unsigned long) conn->u.tcp.bufsiz - 4); + /* XXX Should return an error. */ + err = make_toolong_error (handle, &conn->u.tcp.response); + if (err) { + krb5_klog_syslog(LOG_ERR, + "error constructing KRB_ERR_FIELD_TOOLONG error! %s", + error_message(err)); + goto kill_tcp_connection; + } + goto have_response; + } + } + } else { + /* msglen known */ + krb5_data request; + krb5_error_code err; + struct sockaddr_storage local_saddr; + socklen_t local_saddrlen = sizeof(local_saddr); + struct sockaddr *local_saddrp = NULL; + + len = conn->u.tcp.msglen - (conn->u.tcp.offset - 4); + nread = SOCKET_READ(conn->fd, + conn->u.tcp.buffer + conn->u.tcp.offset, len); + if (nread < 0) + /* error */ + goto kill_tcp_connection; + if (nread == 0) + /* eof */ + goto kill_tcp_connection; + conn->u.tcp.offset += nread; + if (conn->u.tcp.offset < conn->u.tcp.msglen + 4) + return; + /* have a complete message, and exactly one message */ + request.length = conn->u.tcp.msglen; + request.data = conn->u.tcp.buffer + 4; + + if (getsockname(conn->fd, ss2sa(&local_saddr), &local_saddrlen) == 0) { + local_saddrp = ss2sa(&local_saddr); + } + + err = dispatch(handle, local_saddrp, &conn->u.tcp.faddr, + &request, &conn->u.tcp.response); + if (err) { + com_err(prog, err, "while dispatching (tcp)"); + goto kill_tcp_connection; + } + have_response: + queue_tcp_outgoing_response(conn); + FD_CLR(conn->fd, &sstate.rfds); + } } else - abort(); + abort(); return; @@ -1788,8 +1789,8 @@ kill_tcp_connection: } static void service_conn(void *handle, - struct connection *conn, const char *prog, - int selflags) + struct connection *conn, const char *prog, + int selflags) { conn->service(handle, conn, prog, selflags); } @@ -1810,82 +1811,82 @@ static int getcurtime(struct timeval *tvp) krb5_error_code listen_and_process(void *handle, const char *prog) { - int nfound; + int nfound; /* This struct contains 3 fd_set objects; on some platforms, they can be rather large. Making this static avoids putting all that junk on the stack. */ static struct select_state sout; - int i, sret, netchanged = 0; - krb5_error_code err; + int i, sret, netchanged = 0; + krb5_error_code err; kadm5_server_handle_t server_handle = (kadm5_server_handle_t)handle; if (conns == (struct connection **) NULL) - return KDC5_NONET; - + return KDC5_NONET; + while (!signal_request_exit) { - if (signal_request_hup) { - krb5_klog_reopen(server_handle->context); - reset_db(); - signal_request_hup = 0; - } + if (signal_request_hup) { + krb5_klog_reopen(server_handle->context); + reset_db(); + signal_request_hup = 0; + } #ifdef PURIFY - if (signal_pure_report) { - purify_new_reports(); - signal_pure_report = 0; - } - if (signal_pure_clear) { - purify_clear_new_reports(); - signal_pure_clear = 0; - } + if (signal_pure_report) { + purify_new_reports(); + signal_pure_report = 0; + } + if (signal_pure_clear) { + purify_clear_new_reports(); + signal_pure_clear = 0; + } #endif /* PURIFY */ - if (network_reconfiguration_needed) { - krb5_klog_syslog(LOG_INFO, "network reconfiguration needed"); - /* It might be tidier to add a timer-callback interface to - the control loop here, but for this one use, it's not a - big deal. */ - err = getcurtime(&sstate.end_time); - if (err) { - com_err(prog, err, "while getting the time"); - continue; - } - sstate.end_time.tv_sec += 3; - netchanged = 1; - } else - sstate.end_time.tv_sec = sstate.end_time.tv_usec = 0; - - err = krb5int_cm_call_select(&sstate, &sout, &sret); - if (err) { - if (err != EINTR) - com_err(prog, err, "while selecting for network input(1)"); - continue; - } - if (sret == 0 && netchanged) { - network_reconfiguration_needed = 0; - closedown_network(handle, prog); - err = setup_network(handle, prog); - if (err) { - com_err(prog, err, "while reinitializing network"); - return err; - } - netchanged = 0; - } - if (sret == -1) { - if (errno != EINTR) - com_err(prog, errno, "while selecting for network input(2)"); - continue; - } - nfound = sret; - for (i=0; i<n_sockets && nfound > 0; i++) { - int sflags = 0; - if (conns[i]->fd < 0) - abort(); - if (FD_ISSET(conns[i]->fd, &sout.rfds)) - sflags |= SSF_READ, nfound--; - if (FD_ISSET(conns[i]->fd, &sout.wfds)) - sflags |= SSF_WRITE, nfound--; - if (sflags) - service_conn(handle, conns[i], prog, sflags); - } + if (network_reconfiguration_needed) { + krb5_klog_syslog(LOG_INFO, "network reconfiguration needed"); + /* It might be tidier to add a timer-callback interface to + the control loop here, but for this one use, it's not a + big deal. */ + err = getcurtime(&sstate.end_time); + if (err) { + com_err(prog, err, "while getting the time"); + continue; + } + sstate.end_time.tv_sec += 3; + netchanged = 1; + } else + sstate.end_time.tv_sec = sstate.end_time.tv_usec = 0; + + err = krb5int_cm_call_select(&sstate, &sout, &sret); + if (err) { + if (err != EINTR) + com_err(prog, err, "while selecting for network input(1)"); + continue; + } + if (sret == 0 && netchanged) { + network_reconfiguration_needed = 0; + closedown_network(handle, prog); + err = setup_network(handle, prog); + if (err) { + com_err(prog, err, "while reinitializing network"); + return err; + } + netchanged = 0; + } + if (sret == -1) { + if (errno != EINTR) + com_err(prog, errno, "while selecting for network input(2)"); + continue; + } + nfound = sret; + for (i=0; i<n_sockets && nfound > 0; i++) { + int sflags = 0; + if (conns[i]->fd < 0) + abort(); + if (FD_ISSET(conns[i]->fd, &sout.rfds)) + sflags |= SSF_READ, nfound--; + if (FD_ISSET(conns[i]->fd, &sout.wfds)) + sflags |= SSF_WRITE, nfound--; + if (sflags) + service_conn(handle, conns[i], prog, sflags); + } } krb5_klog_syslog(LOG_INFO, "shutdown signal received"); return 0; @@ -1898,31 +1899,31 @@ closedown_network(void *handle, const char *prog) struct connection *conn; if (conns == (struct connection **) NULL) - return KDC5_NONET; + return KDC5_NONET; FOREACH_ELT (connections, i, conn) { - if (conn->fd >= 0) { - krb5_klog_syslog(LOG_INFO, "closing down fd %d", conn->fd); - (void) close(conn->fd); - if (conn->type == CONN_RPC) { - fd_set fds; - - FD_ZERO(&fds); - FD_SET(conn->fd, &fds); - - svc_getreqset(&fds); - } - } - if (conn->type == CONN_RPC_LISTENER) { - if (conn->u.rpc.transp != NULL) - svc_destroy(conn->u.rpc.transp); - } - DEL (connections, i); - /* There may also be per-connection data in the tcp structure - (tcp.buffer, tcp.response) that we're not freeing here. - That should only happen if we quit with a connection in - progress. */ - free(conn); + if (conn->fd >= 0) { + krb5_klog_syslog(LOG_INFO, "closing down fd %d", conn->fd); + (void) close(conn->fd); + if (conn->type == CONN_RPC) { + fd_set fds; + + FD_ZERO(&fds); + FD_SET(conn->fd, &fds); + + svc_getreqset(&fds); + } + } + if (conn->type == CONN_RPC_LISTENER) { + if (conn->u.rpc.transp != NULL) + svc_destroy(conn->u.rpc.transp); + } + DEL (connections, i); + /* There may also be per-connection data in the tcp structure + (tcp.buffer, tcp.response) that we're not freeing here. + That should only happen if we quit with a connection in + progress. */ + free(conn); } FREE_SET_DATA(connections); FREE_SET_DATA(udp_port_data); @@ -1933,7 +1934,7 @@ closedown_network(void *handle, const char *prog) } static void accept_rpc_connection(void *handle, struct connection *conn, - const char *prog, int selflags) + const char *prog, int selflags) { struct socksetup sockdata; fd_set fds; @@ -1942,7 +1943,7 @@ static void accept_rpc_connection(void *handle, struct connection *conn, assert(selflags & SSF_READ); if ((selflags & SSF_READ) == 0) - return; + return; sockdata.prog = prog; sockdata.retval = 0; @@ -1959,73 +1960,73 @@ static void accept_rpc_connection(void *handle, struct connection *conn, * Scan svc_fdset for any new connections. */ for (s = 0; s < FD_SETSIZE; s++) { - /* sstate.rfds |= svc_fdset & ~(rpc_listenfds | sstate.rfds) */ - if (FD_ISSET(s, &svc_fdset) - && !FD_ISSET(s, &rpc_listenfds) - && !FD_ISSET(s, &sstate.rfds)) - { - struct connection *newconn; - struct sockaddr_storage addr_s; - struct sockaddr *addr = (struct sockaddr *)&addr_s; - socklen_t addrlen = sizeof(addr_s); - char tmpbuf[10]; - - newconn = add_rpc_data_fd(&sockdata, s); - if (newconn == NULL) - continue; - - set_cloexec_fd(s); + /* sstate.rfds |= svc_fdset & ~(rpc_listenfds | sstate.rfds) */ + if (FD_ISSET(s, &svc_fdset) + && !FD_ISSET(s, &rpc_listenfds) + && !FD_ISSET(s, &sstate.rfds)) + { + struct connection *newconn; + struct sockaddr_storage addr_s; + struct sockaddr *addr = (struct sockaddr *)&addr_s; + socklen_t addrlen = sizeof(addr_s); + char tmpbuf[10]; + + newconn = add_rpc_data_fd(&sockdata, s); + if (newconn == NULL) + continue; + + set_cloexec_fd(s); #if 0 - setnbio(s), setnolinger(s), setkeepalive(s); + setnbio(s), setnolinger(s), setkeepalive(s); #endif - if (getpeername(s, addr, &addrlen) || - getnameinfo(addr, addrlen, - newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf), - tmpbuf, sizeof(tmpbuf), - NI_NUMERICHOST | NI_NUMERICSERV)) - strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf)); - else { - char *p, *end; - p = newconn->u.tcp.addrbuf; - end = p + sizeof(newconn->u.tcp.addrbuf); - p += strlen(p); - if (end - p > 2 + strlen(tmpbuf)) { - *p++ = '.'; - strlcpy(p, tmpbuf, end - p); - } - } + if (getpeername(s, addr, &addrlen) || + getnameinfo(addr, addrlen, + newconn->u.tcp.addrbuf, sizeof(newconn->u.tcp.addrbuf), + tmpbuf, sizeof(tmpbuf), + NI_NUMERICHOST | NI_NUMERICSERV)) + strlcpy(newconn->u.tcp.addrbuf, "???", sizeof(newconn->u.tcp.addrbuf)); + else { + char *p, *end; + p = newconn->u.tcp.addrbuf; + end = p + sizeof(newconn->u.tcp.addrbuf); + p += strlen(p); + if (end - p > 2 + strlen(tmpbuf)) { + *p++ = '.'; + strlcpy(p, tmpbuf, end - p); + } + } #if 0 - krb5_klog_syslog(LOG_INFO, "accepted RPC connection on socket %d from %s", - s, newconn->u.tcp.addrbuf); + krb5_klog_syslog(LOG_INFO, "accepted RPC connection on socket %d from %s", + s, newconn->u.tcp.addrbuf); #endif - newconn->u.tcp.addr_s = addr_s; - newconn->u.tcp.addrlen = addrlen; - newconn->u.tcp.start_time = time(0); + newconn->u.tcp.addr_s = addr_s; + newconn->u.tcp.addrlen = addrlen; + newconn->u.tcp.start_time = time(0); - if (++tcp_or_rpc_data_counter > max_tcp_or_rpc_data_connections) - kill_lru_tcp_or_rpc_connection(handle, newconn); + if (++tcp_or_rpc_data_counter > max_tcp_or_rpc_data_connections) + kill_lru_tcp_or_rpc_connection(handle, newconn); - newconn->u.tcp.faddr.address = &newconn->u.tcp.kaddr; - init_addr(&newconn->u.tcp.faddr, ss2sa(&newconn->u.tcp.addr_s)); + newconn->u.tcp.faddr.address = &newconn->u.tcp.kaddr; + init_addr(&newconn->u.tcp.faddr, ss2sa(&newconn->u.tcp.addr_s)); - FD_SET(s, &sstate.rfds); - if (sstate.max <= s) - sstate.max = s + 1; - } + FD_SET(s, &sstate.rfds); + if (sstate.max <= s) + sstate.max = s + 1; + } } } static void process_rpc_connection(void *handle, struct connection *conn, - const char *prog, int selflags) + const char *prog, int selflags) { fd_set fds; assert(selflags & SSF_READ); if ((selflags & SSF_READ) == 0) - return; + return; FD_ZERO(&fds); FD_SET(conn->fd, &fds); @@ -2033,7 +2034,7 @@ static void process_rpc_connection(void *handle, struct connection *conn, svc_getreqset(&fds); if (!FD_ISSET(conn->fd, &svc_fdset)) - kill_tcp_or_rpc_connection(handle, conn, 0); + kill_tcp_or_rpc_connection(handle, conn, 0); } #endif /* INET */ diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index c01cbef73a..1615877fb0 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -5,14 +6,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -23,7 +24,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -50,7 +51,7 @@ #include <kadm5/kadm_rpc.h> #include <kadm5/server_acl.h> #include <adm_proto.h> -#include "kdb_kt.h" /* for krb5_ktkdb_set_context */ +#include "kdb_kt.h" /* for krb5_ktkdb_set_context */ #include <string.h> #include "kadm5/server_internal.h" /* XXX for kadm5_server_handle_t */ #include <kdb_log.h> @@ -60,30 +61,30 @@ #ifdef PURIFY #include "purify.h" -int signal_pure_report = 0; -int signal_pure_clear = 0; -void request_pure_report(int); -void request_pure_clear(int); +int signal_pure_report = 0; +int signal_pure_clear = 0; +void request_pure_report(int); +void request_pure_clear(int); #endif /* PURIFY */ #if defined(NEED_DAEMON_PROTO) extern int daemon(int, int); #endif -volatile int signal_request_exit = 0; -volatile int signal_request_hup = 0; +volatile int signal_request_exit = 0; +volatile int signal_request_hup = 0; void setup_signal_handlers(iprop_role iproprole); -void request_exit(int); -void request_hup(int); -void reset_db(void); -void sig_pipe(int); +void request_exit(int); +void request_hup(int); +void reset_db(void); +void sig_pipe(int); #ifdef POSIX_SIGNALS static struct sigaction s_action; #endif /* POSIX_SIGNALS */ -#define TIMEOUT 15 +#define TIMEOUT 15 gss_name_t gss_changepw_name = NULL, gss_oldchangepw_name = NULL; gss_name_t gss_kadmin_name = NULL; @@ -94,16 +95,16 @@ extern krb5_keylist_node *master_keylist; char *build_princ_name(char *name, char *realm); void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data); + struct sockaddr_in *addr, char *data); void log_badverf(gss_name_t client_name, gss_name_t server_name, - struct svc_req *rqst, struct rpc_msg *msg, - char *data); + struct svc_req *rqst, struct rpc_msg *msg, + char *data); void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, char - *error, char *data); + *error, char *data); void log_badauth_display_status(char *msg, OM_uint32 major, OM_uint32 minor); void log_badauth_display_status_1(char *m, OM_uint32 code, int type, - int rec); - + int rec); + int schpw; void do_schpw(int s, kadm5_config_params *params); @@ -117,7 +118,7 @@ void kadm5_set_use_password_server (void); /* * Function: usage - * + * * Purpose: print out the server usage message * * Arguments: @@ -128,15 +129,15 @@ void kadm5_set_use_password_server (void); static void usage() { - fprintf(stderr, "Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] " + fprintf(stderr, "Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] " #ifdef USE_PASSWORD_SERVER - "[-passwordserver] " + "[-passwordserver] " #endif - "[-port port-number]\n" - "\nwhere,\n\t[-x db_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n" - ); - exit(1); + "[-port port-number]\n" + "\nwhere,\n\t[-x db_args]* - any number of database specific arguments.\n" + "\t\t\tLook at each database documentation for supported arguments\n" + ); + exit(1); } /* @@ -146,9 +147,9 @@ static void usage() * * Arguments: * - * msg a string to be displayed with the message - * maj_stat the GSS-API major status code - * min_stat the GSS-API minor status code + * msg a string to be displayed with the message + * maj_stat the GSS-API major status code + * min_stat the GSS-API minor status code * * Effects: * @@ -159,35 +160,35 @@ static void usage() static void display_status_1(char *, OM_uint32, int); static void display_status(msg, maj_stat, min_stat) - char *msg; - OM_uint32 maj_stat; - OM_uint32 min_stat; + char *msg; + OM_uint32 maj_stat; + OM_uint32 min_stat; { - display_status_1(msg, maj_stat, GSS_C_GSS_CODE); - display_status_1(msg, min_stat, GSS_C_MECH_CODE); + display_status_1(msg, maj_stat, GSS_C_GSS_CODE); + display_status_1(msg, min_stat, GSS_C_MECH_CODE); } static void display_status_1(m, code, type) - char *m; - OM_uint32 code; - int type; + char *m; + OM_uint32 code; + int type; { - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - maj_stat = gss_display_status(&min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - fprintf(stderr, "GSS-API error %s: %s\n", m, - (char *)msg.value); - (void) gss_release_buffer(&min_stat, &msg); - - if (!msg_ctx) - break; - } + OM_uint32 maj_stat, min_stat; + gss_buffer_desc msg; + OM_uint32 msg_ctx; + + msg_ctx = 0; + while (1) { + maj_stat = gss_display_status(&min_stat, code, + type, GSS_C_NULL_OID, + &msg_ctx, &msg); + fprintf(stderr, "GSS-API error %s: %s\n", m, + (char *)msg.value); + (void) gss_release_buffer(&min_stat, &msg); + + if (!msg_ctx) + break; + } } @@ -200,410 +201,410 @@ int nofork = 0; int main(int argc, char *argv[]) { - extern char *optarg; - extern int optind, opterr; - int ret; - OM_uint32 OMret, major_status, minor_status; - char *whoami; - gss_buffer_desc in_buf; - auth_gssapi_name names[4]; - gss_buffer_desc gssbuf; - gss_OID nt_krb5_name_oid; - kadm5_config_params params; - char **db_args = NULL; - int db_args_size = 0; - char *errmsg; - int i; - int strong_random = 1; - - kdb_log_context *log_ctx; - - setvbuf(stderr, NULL, _IONBF, 0); - - /* This is OID value the Krb5_Name NameType */ - gssbuf.value = "{1 2 840 113554 1 2 2 1}"; - gssbuf.length = strlen(gssbuf.value); - major_status = gss_str_to_oid(&minor_status, &gssbuf, &nt_krb5_name_oid); - if (major_status != GSS_S_COMPLETE) { - fprintf(stderr, "Couldn't create KRB5 Name NameType OID\n"); - display_status("str_to_oid", major_status, minor_status); - exit(1); - } - - names[0].name = names[1].name = names[2].name = names[3].name = NULL; - names[0].type = names[1].type = names[2].type = names[3].type = - nt_krb5_name_oid; + extern char *optarg; + extern int optind, opterr; + int ret; + OM_uint32 OMret, major_status, minor_status; + char *whoami; + gss_buffer_desc in_buf; + auth_gssapi_name names[4]; + gss_buffer_desc gssbuf; + gss_OID nt_krb5_name_oid; + kadm5_config_params params; + char **db_args = NULL; + int db_args_size = 0; + char *errmsg; + int i; + int strong_random = 1; + + kdb_log_context *log_ctx; + + setvbuf(stderr, NULL, _IONBF, 0); + + /* This is OID value the Krb5_Name NameType */ + gssbuf.value = "{1 2 840 113554 1 2 2 1}"; + gssbuf.length = strlen(gssbuf.value); + major_status = gss_str_to_oid(&minor_status, &gssbuf, &nt_krb5_name_oid); + if (major_status != GSS_S_COMPLETE) { + fprintf(stderr, "Couldn't create KRB5 Name NameType OID\n"); + display_status("str_to_oid", major_status, minor_status); + exit(1); + } + + names[0].name = names[1].name = names[2].name = names[3].name = NULL; + names[0].type = names[1].type = names[2].type = names[3].type = + nt_krb5_name_oid; #ifdef PURIFY - purify_start_batch(); + purify_start_batch(); #endif /* PURIFY */ - whoami = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); - - nofork = 0; - - memset(¶ms, 0, sizeof(params)); - - argc--; argv++; - while (argc) { - if (strcmp(*argv, "-x") == 0) { - argc--; argv++; - if (!argc) - usage(); - db_args_size++; - { - char **temp = realloc( db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ - if( temp == NULL ) - { - fprintf(stderr,"%s: cannot initialize. Not enough memory\n", - whoami); - exit(1); - } - db_args = temp; - } - db_args[db_args_size-1] = *argv; - db_args[db_args_size] = NULL; - }else if (strcmp(*argv, "-r") == 0) { - argc--; argv++; - if (!argc) - usage(); - params.realm = *argv; - params.mask |= KADM5_CONFIG_REALM; - argc--; argv++; - continue; - } else if (strcmp(*argv, "-m") == 0) { - params.mkey_from_kbd = 1; - params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - } else if (strcmp(*argv, "-nofork") == 0) { - nofork = 1; + whoami = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); + + nofork = 0; + + memset(¶ms, 0, sizeof(params)); + + argc--; argv++; + while (argc) { + if (strcmp(*argv, "-x") == 0) { + argc--; argv++; + if (!argc) + usage(); + db_args_size++; + { + char **temp = realloc( db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */ + if( temp == NULL ) + { + fprintf(stderr,"%s: cannot initialize. Not enough memory\n", + whoami); + exit(1); + } + db_args = temp; + } + db_args[db_args_size-1] = *argv; + db_args[db_args_size] = NULL; + }else if (strcmp(*argv, "-r") == 0) { + argc--; argv++; + if (!argc) + usage(); + params.realm = *argv; + params.mask |= KADM5_CONFIG_REALM; + argc--; argv++; + continue; + } else if (strcmp(*argv, "-m") == 0) { + params.mkey_from_kbd = 1; + params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + } else if (strcmp(*argv, "-nofork") == 0) { + nofork = 1; #ifdef USE_PASSWORD_SERVER - } else if (strcmp(*argv, "-passwordserver") == 0) { - kadm5_set_use_password_server (); -#endif - } else if(strcmp(*argv, "-port") == 0) { - argc--; argv++; - if(!argc) - usage(); - params.kadmind_port = atoi(*argv); - params.mask |= KADM5_CONFIG_KADMIND_PORT; - } else if (strcmp(*argv, "-W") == 0) { - strong_random = 0; - } else - break; - argc--; argv++; - } - - if (argc != 0) - usage(); - - if ((ret = kadm5_init_krb5_context(&context))) { - fprintf(stderr, "%s: %s while initializing context, aborting\n", - whoami, error_message(ret)); - exit(1); - } - - krb5_klog_init(context, "admin_server", whoami, 1); - - if((ret = kadm5_init(context, "kadmind", NULL, - NULL, ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_3, - db_args, - &global_server_handle)) != KADM5_OK) { - const char *e_txt = krb5_get_error_message (context, ret); - krb5_klog_syslog(LOG_ERR, "%s while initializing, aborting", - e_txt); - fprintf(stderr, "%s: %s while initializing, aborting\n", - whoami, e_txt); - krb5_klog_close(context); - exit(1); - } - - if ((ret = kadm5_get_config_params(context, 1, ¶ms, - ¶ms))) { - const char *e_txt = krb5_get_error_message (context, ret); - krb5_klog_syslog(LOG_ERR, "%s: %s while initializing, aborting", - whoami, e_txt); - fprintf(stderr, "%s: %s while initializing, aborting\n", - whoami, e_txt); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } + } else if (strcmp(*argv, "-passwordserver") == 0) { + kadm5_set_use_password_server (); +#endif + } else if(strcmp(*argv, "-port") == 0) { + argc--; argv++; + if(!argc) + usage(); + params.kadmind_port = atoi(*argv); + params.mask |= KADM5_CONFIG_KADMIND_PORT; + } else if (strcmp(*argv, "-W") == 0) { + strong_random = 0; + } else + break; + argc--; argv++; + } + + if (argc != 0) + usage(); + + if ((ret = kadm5_init_krb5_context(&context))) { + fprintf(stderr, "%s: %s while initializing context, aborting\n", + whoami, error_message(ret)); + exit(1); + } + + krb5_klog_init(context, "admin_server", whoami, 1); + + if((ret = kadm5_init(context, "kadmind", NULL, + NULL, ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_3, + db_args, + &global_server_handle)) != KADM5_OK) { + const char *e_txt = krb5_get_error_message (context, ret); + krb5_klog_syslog(LOG_ERR, "%s while initializing, aborting", + e_txt); + fprintf(stderr, "%s: %s while initializing, aborting\n", + whoami, e_txt); + krb5_klog_close(context); + exit(1); + } + + if ((ret = kadm5_get_config_params(context, 1, ¶ms, + ¶ms))) { + const char *e_txt = krb5_get_error_message (context, ret); + krb5_klog_syslog(LOG_ERR, "%s: %s while initializing, aborting", + whoami, e_txt); + fprintf(stderr, "%s: %s while initializing, aborting\n", + whoami, e_txt); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } #define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_ACL_FILE) - if ((params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { - krb5_klog_syslog(LOG_ERR, "%s: Missing required configuration values " - "(%lx) while initializing, aborting", whoami, - (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); - fprintf(stderr, "%s: Missing required configuration values " - "(%lx) while initializing, aborting\n", whoami, - (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); - krb5_klog_close(context); - kadm5_destroy(global_server_handle); - exit(1); - } - - if ((ret = setup_network(global_server_handle, whoami))) { - const char *e_txt = krb5_get_error_message (context, ret); - krb5_klog_syslog(LOG_ERR, "%s: %s while initializing network, aborting", - whoami, e_txt); - fprintf(stderr, "%s: %s while initializing network, aborting\n", - whoami, e_txt); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - names[0].name = build_princ_name(KADM5_ADMIN_SERVICE, params.realm); - names[1].name = build_princ_name(KADM5_CHANGEPW_SERVICE, params.realm); - if (names[0].name == NULL || names[1].name == NULL) { - krb5_klog_syslog(LOG_ERR, - "Cannot build GSS-API authentication names, " - "failing."); - fprintf(stderr, "%s: Cannot build GSS-API authentication names.\n", - whoami); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - /* - * Go through some contortions to point gssapi at a kdb keytab. - * This prevents kadmind from needing to use an actual file-based - * keytab. - */ - /* XXX extract kadm5's krb5_context */ - hctx = ((kadm5_server_handle_t)global_server_handle)->context; - /* Set ktkdb's internal krb5_context. */ - ret = krb5_ktkdb_set_context(hctx); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Can't set kdb keytab's internal context."); - goto kterr; - } - /* XXX master_keyblock is in guts of lib/kadm5/server_kdb.c */ - ret = krb5_db_set_mkey(hctx, &master_keyblock); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Can't set master key for kdb keytab."); - goto kterr; - } - ret = krb5_db_set_mkey_list(hctx, master_keylist); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Can't set master key list for kdb keytab."); - goto kterr; - } - ret = krb5_kt_register(context, &krb5_kt_kdb_ops); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Can't register kdb keytab."); - goto kterr; - } - /* Tell gssapi about the kdb keytab. */ - ret = krb5_gss_register_acceptor_identity("KDB:"); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Can't register acceptor keytab."); - goto kterr; - } + if ((params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { + krb5_klog_syslog(LOG_ERR, "%s: Missing required configuration values " + "(%lx) while initializing, aborting", whoami, + (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); + fprintf(stderr, "%s: Missing required configuration values " + "(%lx) while initializing, aborting\n", whoami, + (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); + krb5_klog_close(context); + kadm5_destroy(global_server_handle); + exit(1); + } + + if ((ret = setup_network(global_server_handle, whoami))) { + const char *e_txt = krb5_get_error_message (context, ret); + krb5_klog_syslog(LOG_ERR, "%s: %s while initializing network, aborting", + whoami, e_txt); + fprintf(stderr, "%s: %s while initializing network, aborting\n", + whoami, e_txt); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + names[0].name = build_princ_name(KADM5_ADMIN_SERVICE, params.realm); + names[1].name = build_princ_name(KADM5_CHANGEPW_SERVICE, params.realm); + if (names[0].name == NULL || names[1].name == NULL) { + krb5_klog_syslog(LOG_ERR, + "Cannot build GSS-API authentication names, " + "failing."); + fprintf(stderr, "%s: Cannot build GSS-API authentication names.\n", + whoami); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + /* + * Go through some contortions to point gssapi at a kdb keytab. + * This prevents kadmind from needing to use an actual file-based + * keytab. + */ + /* XXX extract kadm5's krb5_context */ + hctx = ((kadm5_server_handle_t)global_server_handle)->context; + /* Set ktkdb's internal krb5_context. */ + ret = krb5_ktkdb_set_context(hctx); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Can't set kdb keytab's internal context."); + goto kterr; + } + /* XXX master_keyblock is in guts of lib/kadm5/server_kdb.c */ + ret = krb5_db_set_mkey(hctx, &master_keyblock); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Can't set master key for kdb keytab."); + goto kterr; + } + ret = krb5_db_set_mkey_list(hctx, master_keylist); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Can't set master key list for kdb keytab."); + goto kterr; + } + ret = krb5_kt_register(context, &krb5_kt_kdb_ops); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Can't register kdb keytab."); + goto kterr; + } + /* Tell gssapi about the kdb keytab. */ + ret = krb5_gss_register_acceptor_identity("KDB:"); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Can't register acceptor keytab."); + goto kterr; + } kterr: - if (ret) { - krb5_klog_syslog(LOG_ERR, "%s", krb5_get_error_message (context, ret)); - fprintf(stderr, "%s: Can't set up keytab for RPC.\n", whoami); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - if (svcauth_gssapi_set_names(names, 2) == FALSE) { - krb5_klog_syslog(LOG_ERR, - "Cannot set GSS-API authentication names (keytab not present?), " - "failing."); - fprintf(stderr, "%s: Cannot set GSS-API authentication names.\n", - whoami); - svcauth_gssapi_unset_names(); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - /* if set_names succeeded, this will too */ - in_buf.value = names[1].name; - in_buf.length = strlen(names[1].name) + 1; - (void) gss_import_name(&OMret, &in_buf, nt_krb5_name_oid, - &gss_changepw_name); - - svcauth_gssapi_set_log_badauth_func(log_badauth, NULL); - svcauth_gssapi_set_log_badverf_func(log_badverf, NULL); - svcauth_gssapi_set_log_miscerr_func(log_miscerr, NULL); - - svcauth_gss_set_log_badauth_func(log_badauth, NULL); - svcauth_gss_set_log_badverf_func(log_badverf, NULL); - svcauth_gss_set_log_miscerr_func(log_miscerr, NULL); - - if (svcauth_gss_set_svc_name(GSS_C_NO_NAME) != TRUE) { - fprintf(stderr, "%s: Cannot initialize RPCSEC_GSS service name.\n", - whoami); - exit(1); - } - - if ((ret = kadm5int_acl_init(context, 0, params.acl_file))) { - errmsg = krb5_get_error_message (context, ret); - krb5_klog_syslog(LOG_ERR, "Cannot initialize acl file: %s", - errmsg); - fprintf(stderr, "%s: Cannot initialize acl file: %s\n", - whoami, errmsg); - svcauth_gssapi_unset_names(); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - if (!nofork && (ret = daemon(0, 0))) { - ret = errno; - errmsg = krb5_get_error_message (context, ret); - krb5_klog_syslog(LOG_ERR, "Cannot detach from tty: %s", errmsg); - fprintf(stderr, "%s: Cannot detach from tty: %s\n", - whoami, errmsg); - svcauth_gssapi_unset_names(); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - - krb5_klog_syslog(LOG_INFO, "Seeding random number generator"); - ret = krb5_c_random_os_entropy(context, strong_random, NULL); - if (ret) { - krb5_klog_syslog(LOG_ERR, "Error getting random seed: %s, aborting", - krb5_get_error_message(context, ret)); - svcauth_gssapi_unset_names(); - kadm5_destroy(global_server_handle); - krb5_klog_close(context); - exit(1); - } - + if (ret) { + krb5_klog_syslog(LOG_ERR, "%s", krb5_get_error_message (context, ret)); + fprintf(stderr, "%s: Can't set up keytab for RPC.\n", whoami); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + if (svcauth_gssapi_set_names(names, 2) == FALSE) { + krb5_klog_syslog(LOG_ERR, + "Cannot set GSS-API authentication names (keytab not present?), " + "failing."); + fprintf(stderr, "%s: Cannot set GSS-API authentication names.\n", + whoami); + svcauth_gssapi_unset_names(); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + /* if set_names succeeded, this will too */ + in_buf.value = names[1].name; + in_buf.length = strlen(names[1].name) + 1; + (void) gss_import_name(&OMret, &in_buf, nt_krb5_name_oid, + &gss_changepw_name); + + svcauth_gssapi_set_log_badauth_func(log_badauth, NULL); + svcauth_gssapi_set_log_badverf_func(log_badverf, NULL); + svcauth_gssapi_set_log_miscerr_func(log_miscerr, NULL); + + svcauth_gss_set_log_badauth_func(log_badauth, NULL); + svcauth_gss_set_log_badverf_func(log_badverf, NULL); + svcauth_gss_set_log_miscerr_func(log_miscerr, NULL); + + if (svcauth_gss_set_svc_name(GSS_C_NO_NAME) != TRUE) { + fprintf(stderr, "%s: Cannot initialize RPCSEC_GSS service name.\n", + whoami); + exit(1); + } + + if ((ret = kadm5int_acl_init(context, 0, params.acl_file))) { + errmsg = krb5_get_error_message (context, ret); + krb5_klog_syslog(LOG_ERR, "Cannot initialize acl file: %s", + errmsg); + fprintf(stderr, "%s: Cannot initialize acl file: %s\n", + whoami, errmsg); + svcauth_gssapi_unset_names(); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + if (!nofork && (ret = daemon(0, 0))) { + ret = errno; + errmsg = krb5_get_error_message (context, ret); + krb5_klog_syslog(LOG_ERR, "Cannot detach from tty: %s", errmsg); + fprintf(stderr, "%s: Cannot detach from tty: %s\n", + whoami, errmsg); + svcauth_gssapi_unset_names(); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + + krb5_klog_syslog(LOG_INFO, "Seeding random number generator"); + ret = krb5_c_random_os_entropy(context, strong_random, NULL); + if (ret) { + krb5_klog_syslog(LOG_ERR, "Error getting random seed: %s, aborting", + krb5_get_error_message(context, ret)); + svcauth_gssapi_unset_names(); + kadm5_destroy(global_server_handle); + krb5_klog_close(context); + exit(1); + } + if (params.iprop_enabled == TRUE) - ulog_set_role(hctx, IPROP_MASTER); + ulog_set_role(hctx, IPROP_MASTER); else - ulog_set_role(hctx, IPROP_NULL); + ulog_set_role(hctx, IPROP_NULL); log_ctx = hctx->kdblog_context; if (log_ctx && (log_ctx->iproprole == IPROP_MASTER)) { - /* - * IProp is enabled, so let's map in the update log - * and setup the service. - */ - if ((ret = ulog_map(hctx, params.iprop_logfile, - params.iprop_ulogsize, FKADMIND, db_args)) != 0) { - fprintf(stderr, - _("%s: %s while mapping update log (`%s.ulog')\n"), - whoami, error_message(ret), params.dbname); - krb5_klog_syslog(LOG_ERR, - _("%s while mapping update log (`%s.ulog')"), - error_message(ret), params.dbname); - krb5_klog_close(context); - exit(1); - } - - - if (nofork) - fprintf(stderr, - "%s: create IPROP svc (PROG=%d, VERS=%d)\n", - whoami, KRB5_IPROP_PROG, KRB5_IPROP_VERS); + /* + * IProp is enabled, so let's map in the update log + * and setup the service. + */ + if ((ret = ulog_map(hctx, params.iprop_logfile, + params.iprop_ulogsize, FKADMIND, db_args)) != 0) { + fprintf(stderr, + _("%s: %s while mapping update log (`%s.ulog')\n"), + whoami, error_message(ret), params.dbname); + krb5_klog_syslog(LOG_ERR, + _("%s while mapping update log (`%s.ulog')"), + error_message(ret), params.dbname); + krb5_klog_close(context); + exit(1); + } + + + if (nofork) + fprintf(stderr, + "%s: create IPROP svc (PROG=%d, VERS=%d)\n", + whoami, KRB5_IPROP_PROG, KRB5_IPROP_VERS); #if 0 - if (!svc_create(krb5_iprop_prog_1, - KRB5_IPROP_PROG, KRB5_IPROP_VERS, - "circuit_v")) { - fprintf(stderr, - _("%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n"), - whoami, - KRB5_IPROP_PROG, KRB5_IPROP_VERS); - krb5_klog_syslog(LOG_ERR, - _("Cannot create IProp RPC service (PROG=%d, VERS=%d), failing."), - KRB5_IPROP_PROG, KRB5_IPROP_VERS); - krb5_klog_close(context); - exit(1); - } + if (!svc_create(krb5_iprop_prog_1, + KRB5_IPROP_PROG, KRB5_IPROP_VERS, + "circuit_v")) { + fprintf(stderr, + _("%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n"), + whoami, + KRB5_IPROP_PROG, KRB5_IPROP_VERS); + krb5_klog_syslog(LOG_ERR, + _("Cannot create IProp RPC service (PROG=%d, VERS=%d), failing."), + KRB5_IPROP_PROG, KRB5_IPROP_VERS); + krb5_klog_close(context); + exit(1); + } #endif #if 0 /* authgss only? */ - if ((ret = kiprop_get_adm_host_srv_name(context, - params.realm, - &kiprop_name)) != 0) { - krb5_klog_syslog(LOG_ERR, - _("%s while getting IProp svc name, failing"), - error_message(ret)); - fprintf(stderr, - _("%s: %s while getting IProp svc name, failing\n"), - whoami, error_message(ret)); - krb5_klog_close(context); - exit(1); - } - - auth_gssapi_name iprop_name; - iprop_name.name = build_princ_name(foo, bar); - if (iprop_name.name == NULL) { - foo error; - } - iprop_name.type = nt_krb5_name_oid; - if (svcauth_gssapi_set_names(&iprop_name, 1) == FALSE) { - foo error; - } - if (!rpc_gss_set_svc_name(kiprop_name, "kerberos_v5", 0, - KRB5_IPROP_PROG, KRB5_IPROP_VERS)) { - rpc_gss_error_t err; - (void) rpc_gss_get_error(&err); - - krb5_klog_syslog(LOG_ERR, - _("Unable to set RPCSEC_GSS service name (`%s'), failing."), - kiprop_name ? kiprop_name : "<null>"); - - fprintf(stderr, - _("%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n"), - whoami, - kiprop_name ? kiprop_name : "<null>"); - - if (nofork) { - fprintf(stderr, - "%s: set svc name (rpcsec err=%d, sys err=%d)\n", - whoami, - err.rpc_gss_error, - err.system_error); - } - - exit(1); - } - free(kiprop_name); + if ((ret = kiprop_get_adm_host_srv_name(context, + params.realm, + &kiprop_name)) != 0) { + krb5_klog_syslog(LOG_ERR, + _("%s while getting IProp svc name, failing"), + error_message(ret)); + fprintf(stderr, + _("%s: %s while getting IProp svc name, failing\n"), + whoami, error_message(ret)); + krb5_klog_close(context); + exit(1); + } + + auth_gssapi_name iprop_name; + iprop_name.name = build_princ_name(foo, bar); + if (iprop_name.name == NULL) { + foo error; + } + iprop_name.type = nt_krb5_name_oid; + if (svcauth_gssapi_set_names(&iprop_name, 1) == FALSE) { + foo error; + } + if (!rpc_gss_set_svc_name(kiprop_name, "kerberos_v5", 0, + KRB5_IPROP_PROG, KRB5_IPROP_VERS)) { + rpc_gss_error_t err; + (void) rpc_gss_get_error(&err); + + krb5_klog_syslog(LOG_ERR, + _("Unable to set RPCSEC_GSS service name (`%s'), failing."), + kiprop_name ? kiprop_name : "<null>"); + + fprintf(stderr, + _("%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n"), + whoami, + kiprop_name ? kiprop_name : "<null>"); + + if (nofork) { + fprintf(stderr, + "%s: set svc name (rpcsec err=%d, sys err=%d)\n", + whoami, + err.rpc_gss_error, + err.system_error); + } + + exit(1); + } + free(kiprop_name); #endif } setup_signal_handlers(log_ctx->iproprole); krb5_klog_syslog(LOG_INFO, _("starting")); if (nofork) - fprintf(stderr, "%s: starting...\n", whoami); - - listen_and_process(global_server_handle, whoami); - krb5_klog_syslog(LOG_INFO, "finished, exiting"); - - /* Clean up memory, etc */ - svcauth_gssapi_unset_names(); - kadm5_destroy(global_server_handle); - closedown_network(global_server_handle, whoami); - kadm5int_acl_finish(context, 0); - if(gss_changepw_name) { - (void) gss_release_name(&OMret, &gss_changepw_name); - } - if(gss_oldchangepw_name) { - (void) gss_release_name(&OMret, &gss_oldchangepw_name); - } - for(i = 0 ; i < 4; i++) { - if (names[i].name) { - free(names[i].name); - } - } - - krb5_klog_close(context); - krb5_free_context(context); - exit(2); + fprintf(stderr, "%s: starting...\n", whoami); + + listen_and_process(global_server_handle, whoami); + krb5_klog_syslog(LOG_INFO, "finished, exiting"); + + /* Clean up memory, etc */ + svcauth_gssapi_unset_names(); + kadm5_destroy(global_server_handle); + closedown_network(global_server_handle, whoami); + kadm5int_acl_finish(context, 0); + if(gss_changepw_name) { + (void) gss_release_name(&OMret, &gss_changepw_name); + } + if(gss_oldchangepw_name) { + (void) gss_release_name(&OMret, &gss_oldchangepw_name); + } + for(i = 0 ; i < 4; i++) { + if (names[i].name) { + free(names[i].name); + } + } + + krb5_klog_close(context); + krb5_free_context(context); + exit(2); } /* @@ -615,123 +616,123 @@ kterr: void setup_signal_handlers(iprop_role iproprole) { #ifdef POSIX_SIGNALS - (void) sigemptyset(&s_action.sa_mask); - s_action.sa_handler = request_exit; - (void) sigaction(SIGINT, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGQUIT, &s_action, (struct sigaction *) NULL); - s_action.sa_handler = request_hup; - (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL); - s_action.sa_handler = sig_pipe; - (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL); + (void) sigemptyset(&s_action.sa_mask); + s_action.sa_handler = request_exit; + (void) sigaction(SIGINT, &s_action, (struct sigaction *) NULL); + (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL); + (void) sigaction(SIGQUIT, &s_action, (struct sigaction *) NULL); + s_action.sa_handler = request_hup; + (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL); + s_action.sa_handler = sig_pipe; + (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL); #ifdef PURIFY - s_action.sa_handler = request_pure_report; - (void) sigaction(SIGUSR1, &s_action, (struct sigaction *) NULL); - s_action.sa_handler = request_pure_clear; - (void) sigaction(SIGUSR2, &s_action, (struct sigaction *) NULL); + s_action.sa_handler = request_pure_report; + (void) sigaction(SIGUSR1, &s_action, (struct sigaction *) NULL); + s_action.sa_handler = request_pure_clear; + (void) sigaction(SIGUSR2, &s_action, (struct sigaction *) NULL); #endif /* PURIFY */ - /* - * IProp will fork for a full-resync, we don't want to - * wait on it and we don't want the living dead procs either. - */ - if (iproprole == IPROP_MASTER) { - s_action.sa_handler = SIG_IGN; - (void) sigaction(SIGCHLD, &s_action, (struct sigaction *) NULL); - } + /* + * IProp will fork for a full-resync, we don't want to + * wait on it and we don't want the living dead procs either. + */ + if (iproprole == IPROP_MASTER) { + s_action.sa_handler = SIG_IGN; + (void) sigaction(SIGCHLD, &s_action, (struct sigaction *) NULL); + } #else /* POSIX_SIGNALS */ - signal(SIGINT, request_exit); - signal(SIGTERM, request_exit); - signal(SIGQUIT, request_exit); - signal(SIGHUP, request_hup); - signal(SIGPIPE, sig_pipe); + signal(SIGINT, request_exit); + signal(SIGTERM, request_exit); + signal(SIGQUIT, request_exit); + signal(SIGHUP, request_hup); + signal(SIGPIPE, sig_pipe); #ifdef PURIFY - signal(SIGUSR1, request_pure_report); - signal(SIGUSR2, request_pure_clear); + signal(SIGUSR1, request_pure_report); + signal(SIGUSR2, request_pure_clear); #endif /* PURIFY */ - /* - * IProp will fork for a full-resync, we don't want to - * wait on it and we don't want the living dead procs either. - */ - if (iproprole == IPROP_MASTER) - (void) signal(SIGCHLD, SIG_IGN); + /* + * IProp will fork for a full-resync, we don't want to + * wait on it and we don't want the living dead procs either. + */ + if (iproprole == IPROP_MASTER) + (void) signal(SIGCHLD, SIG_IGN); #endif /* POSIX_SIGNALS */ } #ifdef PURIFY /* * Function: request_pure_report - * + * * Purpose: sets flag saying the server got a signal and that it should - * dump a purify report when convenient. + * dump a purify report when convenient. * * Arguments: * Requires: * Effects: * Modifies: - * sets signal_pure_report to one + * sets signal_pure_report to one */ void request_pure_report(int signum) { - krb5_klog_syslog(LOG_DEBUG, "Got signal to request a Purify report"); - signal_pure_report = 1; - return; + krb5_klog_syslog(LOG_DEBUG, "Got signal to request a Purify report"); + signal_pure_report = 1; + return; } /* * Function: request_pure_clear - * + * * Purpose: sets flag saying the server got a signal and that it should - * dump a purify report when convenient, then clear the - * purify tables. + * dump a purify report when convenient, then clear the + * purify tables. * * Arguments: * Requires: * Effects: * Modifies: - * sets signal_pure_report to one - * sets signal_pure_clear to one + * sets signal_pure_report to one + * sets signal_pure_clear to one */ void request_pure_clear(int signum) { - krb5_klog_syslog(LOG_DEBUG, "Got signal to request a Purify report and clear the old Purify info"); - signal_pure_report = 1; - signal_pure_clear = 1; - return; + krb5_klog_syslog(LOG_DEBUG, "Got signal to request a Purify report and clear the old Purify info"); + signal_pure_report = 1; + signal_pure_clear = 1; + return; } #endif /* PURIFY */ /* * Function: request_hup - * + * * Purpose: sets flag saying the server got a signal and that it should - * reset the database files when convenient. + * reset the database files when convenient. * * Arguments: * Requires: * Effects: * Modifies: - * sets signal_request_hup to one + * sets signal_request_hup to one */ void request_hup(int signum) { - signal_request_hup = 1; - return; + signal_request_hup = 1; + return; } /* * Function: reset_db - * + * * Purpose: flushes the currently opened database files to disk. * * Arguments: * Requires: * Effects: - * + * * Currently, just sets signal_request_reset to 0. The kdb and adb * libraries used to be sufficiently broken that it was prudent to * close and reopen the databases periodically. They are no longer @@ -740,42 +741,42 @@ void request_hup(int signum) void reset_db(void) { #ifdef notdef - kadm5_ret_t ret; - char *errmsg; - - if (ret = kadm5_flush(global_server_handle)) { - krb5_klog_syslog(LOG_ERR, "FATAL ERROR! %s while flushing databases. " - "Databases may be corrupt! Aborting.", - krb5_get_error_message (context, ret)); - krb5_klog_close(context); - exit(3); - } + kadm5_ret_t ret; + char *errmsg; + + if (ret = kadm5_flush(global_server_handle)) { + krb5_klog_syslog(LOG_ERR, "FATAL ERROR! %s while flushing databases. " + "Databases may be corrupt! Aborting.", + krb5_get_error_message (context, ret)); + krb5_klog_close(context); + exit(3); + } #endif - return; + return; } /* * Function: request_exit - * + * * Purpose: sets flags saying the server got a signal and that it - * should exit when convient. + * should exit when convient. * * Arguments: * Requires: * Effects: - * modifies signal_request_exit which ideally makes the server exit - * at some point. + * modifies signal_request_exit which ideally makes the server exit + * at some point. * * Modifies: - * signal_request_exit + * signal_request_exit */ void request_exit(int signum) { - krb5_klog_syslog(LOG_DEBUG, "Got signal to request exit"); - signal_request_exit = 1; - return; + krb5_klog_syslog(LOG_DEBUG, "Got signal to request exit"); + signal_request_exit = 1; + return; } /* @@ -789,40 +790,40 @@ void request_exit(int signum) */ void sig_pipe(int unused) { - krb5_klog_syslog(LOG_NOTICE, "Warning: Received a SIGPIPE; probably a " - "client aborted. Continuing."); - return; + krb5_klog_syslog(LOG_NOTICE, "Warning: Received a SIGPIPE; probably a " + "client aborted. Continuing."); + return; } /* * Function: build_princ_name - * + * * Purpose: takes a name and a realm and builds a string that can be - * consumed by krb5_parse_name. + * consumed by krb5_parse_name. * * Arguments: - * name (input) name to be part of principal - * realm (input) realm part of principal - * <return value> char * pointing to "name@realm" + * name (input) name to be part of principal + * realm (input) realm part of principal + * <return value> char * pointing to "name@realm" * * Requires: - * name be non-null. - * + * name be non-null. + * * Effects: * Modifies: */ char *build_princ_name(char *name, char *realm) { - char *fullname; + char *fullname; - if (realm) { - if (asprintf(&fullname, "%s@%s", name, realm) < 0) - fullname = NULL; - } else - fullname = strdup(name); + if (realm) { + if (asprintf(&fullname, "%s@%s", name, realm) < 0) + fullname = NULL; + } else + fullname = strdup(name); - return fullname; + return fullname; } /* @@ -832,11 +833,11 @@ char *build_princ_name(char *name, char *realm) * messages. * * Argiments: - * client_name (r) GSS-API client name - * server_name (r) GSS-API server name - * rqst (r) RPC service request - * msg (r) RPC message - * data (r) arbitrary data (NULL), not used + * client_name (r) GSS-API client name + * server_name (r) GSS-API server name + * rqst (r) RPC service request + * msg (r) RPC message + * data (r) arbitrary data (NULL), not used * * Effects: * @@ -844,91 +845,91 @@ char *build_princ_name(char *name, char *realm) * format. */ void log_badverf(gss_name_t client_name, gss_name_t server_name, - struct svc_req *rqst, struct rpc_msg *msg, char - *data) + struct svc_req *rqst, struct rpc_msg *msg, char + *data) { - struct procnames { - rpcproc_t proc; - const char *proc_name; - }; - static const struct procnames proc_names[] = { - {1, "CREATE_PRINCIPAL"}, - {2, "DELETE_PRINCIPAL"}, - {3, "MODIFY_PRINCIPAL"}, - {4, "RENAME_PRINCIPAL"}, - {5, "GET_PRINCIPAL"}, - {6, "CHPASS_PRINCIPAL"}, - {7, "CHRAND_PRINCIPAL"}, - {8, "CREATE_POLICY"}, - {9, "DELETE_POLICY"}, - {10, "MODIFY_POLICY"}, - {11, "GET_POLICY"}, - {12, "GET_PRIVS"}, - {13, "INIT"}, - {14, "GET_PRINCS"}, - {15, "GET_POLS"}, - {16, "SETKEY_PRINCIPAL"}, - {17, "SETV4KEY_PRINCIPAL"}, - {18, "CREATE_PRINCIPAL3"}, - {19, "CHPASS_PRINCIPAL3"}, - {20, "CHRAND_PRINCIPAL3"}, - {21, "SETKEY_PRINCIPAL3"} - }; + struct procnames { + rpcproc_t proc; + const char *proc_name; + }; + static const struct procnames proc_names[] = { + {1, "CREATE_PRINCIPAL"}, + {2, "DELETE_PRINCIPAL"}, + {3, "MODIFY_PRINCIPAL"}, + {4, "RENAME_PRINCIPAL"}, + {5, "GET_PRINCIPAL"}, + {6, "CHPASS_PRINCIPAL"}, + {7, "CHRAND_PRINCIPAL"}, + {8, "CREATE_POLICY"}, + {9, "DELETE_POLICY"}, + {10, "MODIFY_POLICY"}, + {11, "GET_POLICY"}, + {12, "GET_PRIVS"}, + {13, "INIT"}, + {14, "GET_PRINCS"}, + {15, "GET_POLS"}, + {16, "SETKEY_PRINCIPAL"}, + {17, "SETV4KEY_PRINCIPAL"}, + {18, "CREATE_PRINCIPAL3"}, + {19, "CHPASS_PRINCIPAL3"}, + {20, "CHRAND_PRINCIPAL3"}, + {21, "SETKEY_PRINCIPAL3"} + }; #define NPROCNAMES (sizeof (proc_names) / sizeof (struct procnames)) - OM_uint32 minor; - gss_buffer_desc client, server; - gss_OID gss_type; - char *a; - rpcproc_t proc; - int i; - const char *procname; - size_t clen, slen; - char *cdots, *sdots; - - client.length = 0; - client.value = NULL; - server.length = 0; - server.value = NULL; - - (void) gss_display_name(&minor, client_name, &client, &gss_type); - (void) gss_display_name(&minor, server_name, &server, &gss_type); - if (client.value == NULL) { - client.value = "(null)"; - clen = sizeof("(null)") -1; - } else { - clen = client.length; - } - trunc_name(&clen, &cdots); - if (server.value == NULL) { - server.value = "(null)"; - slen = sizeof("(null)") - 1; - } else { - slen = server.length; - } - trunc_name(&slen, &sdots); - a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); - - proc = msg->rm_call.cb_proc; - procname = NULL; - for (i = 0; i < NPROCNAMES; i++) { - if (proc_names[i].proc == proc) { - procname = proc_names[i].proc_name; - break; - } - } - if (procname != NULL) - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " - "claimed client = %.*s%s, server = %.*s%s, addr = %s", - procname, (int) clen, (char *) client.value, cdots, - (int) slen, (char *) server.value, sdots, a); - else - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " - "claimed client = %.*s%s, server = %.*s%s, addr = %s", - proc, (int) clen, (char *) client.value, cdots, - (int) slen, (char *) server.value, sdots, a); - - (void) gss_release_buffer(&minor, &client); - (void) gss_release_buffer(&minor, &server); + OM_uint32 minor; + gss_buffer_desc client, server; + gss_OID gss_type; + char *a; + rpcproc_t proc; + int i; + const char *procname; + size_t clen, slen; + char *cdots, *sdots; + + client.length = 0; + client.value = NULL; + server.length = 0; + server.value = NULL; + + (void) gss_display_name(&minor, client_name, &client, &gss_type); + (void) gss_display_name(&minor, server_name, &server, &gss_type); + if (client.value == NULL) { + client.value = "(null)"; + clen = sizeof("(null)") -1; + } else { + clen = client.length; + } + trunc_name(&clen, &cdots); + if (server.value == NULL) { + server.value = "(null)"; + slen = sizeof("(null)") - 1; + } else { + slen = server.length; + } + trunc_name(&slen, &sdots); + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + + proc = msg->rm_call.cb_proc; + procname = NULL; + for (i = 0; i < NPROCNAMES; i++) { + if (proc_names[i].proc == proc) { + procname = proc_names[i].proc_name; + break; + } + } + if (procname != NULL) + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " + "claimed client = %.*s%s, server = %.*s%s, addr = %s", + procname, (int) clen, (char *) client.value, cdots, + (int) slen, (char *) server.value, sdots, a); + else + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " + "claimed client = %.*s%s, server = %.*s%s, addr = %s", + proc, (int) clen, (char *) client.value, cdots, + (int) slen, (char *) server.value, sdots, a); + + (void) gss_release_buffer(&minor, &client); + (void) gss_release_buffer(&minor, &server); } /* @@ -937,10 +938,10 @@ void log_badverf(gss_name_t client_name, gss_name_t server_name, * Purpose: Callback from GSS-API Sun RPC for miscellaneous errors * * Arguments: - * rqst (r) RPC service request - * msg (r) RPC message - * error (r) error message from RPC - * data (r) arbitrary data (NULL), not used + * rqst (r) RPC service request + * msg (r) RPC message + * error (r) error message from RPC + * data (r) arbitrary data (NULL), not used * * Effects: * @@ -948,12 +949,12 @@ void log_badverf(gss_name_t client_name, gss_name_t server_name, * format. */ void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, - char *error, char *data) + char *error, char *data) { - char *a; - - a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); - krb5_klog_syslog(LOG_NOTICE, "Miscellaneous RPC error: %s, %s", a, error); + char *a; + + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + krb5_klog_syslog(LOG_NOTICE, "Miscellaneous RPC error: %s, %s", a, error); } @@ -965,10 +966,10 @@ void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, * failures/errors. * * Arguments: - * major (r) GSS-API major status - * minor (r) GSS-API minor status - * addr (r) originating address - * data (r) arbitrary data (NULL), not used + * major (r) GSS-API major status + * minor (r) GSS-API minor status + * addr (r) originating address + * data (r) arbitrary data (NULL), not used * * Effects: * @@ -976,57 +977,56 @@ void log_miscerr(struct svc_req *rqst, struct rpc_msg *msg, * format. */ void log_badauth(OM_uint32 major, OM_uint32 minor, - struct sockaddr_in *addr, char *data) + struct sockaddr_in *addr, char *data) { - char *a; - - /* Authentication attempt failed: <IP address>, <GSS-API error */ - /* strings> */ + char *a; + + /* Authentication attempt failed: <IP address>, <GSS-API error */ + /* strings> */ - a = inet_ntoa(addr->sin_addr); + a = inet_ntoa(addr->sin_addr); - krb5_klog_syslog(LOG_NOTICE, "Authentication attempt failed: %s, GSS-API " - "error strings are:", a); - log_badauth_display_status(" ", major, minor); - krb5_klog_syslog(LOG_NOTICE, " GSS-API error strings complete."); + krb5_klog_syslog(LOG_NOTICE, "Authentication attempt failed: %s, GSS-API " + "error strings are:", a); + log_badauth_display_status(" ", major, minor); + krb5_klog_syslog(LOG_NOTICE, " GSS-API error strings complete."); } void log_badauth_display_status(char *msg, OM_uint32 major, OM_uint32 minor) { - log_badauth_display_status_1(msg, major, GSS_C_GSS_CODE, 0); - log_badauth_display_status_1(msg, minor, GSS_C_MECH_CODE, 0); + log_badauth_display_status_1(msg, major, GSS_C_GSS_CODE, 0); + log_badauth_display_status_1(msg, minor, GSS_C_MECH_CODE, 0); } void log_badauth_display_status_1(char *m, OM_uint32 code, int type, - int rec) + int rec) { - OM_uint32 gssstat, minor_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while (1) { - gssstat = gss_display_status(&minor_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg); - if (gssstat != GSS_S_COMPLETE) { - if (!rec) { - log_badauth_display_status_1(m,gssstat,GSS_C_GSS_CODE,1); - log_badauth_display_status_1(m, minor_stat, - GSS_C_MECH_CODE, 1); - } else - krb5_klog_syslog(LOG_ERR, "GSS-API authentication error %.*s: " - "recursive failure!", (int) msg.length, - (char *) msg.value); - return; - } - - krb5_klog_syslog(LOG_NOTICE, "%s %.*s", m, (int)msg.length, - (char *)msg.value); - (void) gss_release_buffer(&minor_stat, &msg); - - if (!msg_ctx) - break; - } + OM_uint32 gssstat, minor_stat; + gss_buffer_desc msg; + OM_uint32 msg_ctx; + + msg_ctx = 0; + while (1) { + gssstat = gss_display_status(&minor_stat, code, + type, GSS_C_NULL_OID, + &msg_ctx, &msg); + if (gssstat != GSS_S_COMPLETE) { + if (!rec) { + log_badauth_display_status_1(m,gssstat,GSS_C_GSS_CODE,1); + log_badauth_display_status_1(m, minor_stat, + GSS_C_MECH_CODE, 1); + } else + krb5_klog_syslog(LOG_ERR, "GSS-API authentication error %.*s: " + "recursive failure!", (int) msg.length, + (char *) msg.value); + return; + } + + krb5_klog_syslog(LOG_NOTICE, "%s %.*s", m, (int)msg.length, + (char *)msg.value); + (void) gss_release_buffer(&minor_stat, &msg); + + if (!msg_ctx) + break; + } } - diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c index c3b7fa1e3e..c1b2217325 100644 --- a/src/kadmin/server/schpw.c +++ b/src/kadmin/server/schpw.c @@ -1,7 +1,8 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include <kadm5/admin.h> #include <syslog.h> -#include <adm_proto.h> /* krb5_klog_syslog */ +#include <adm_proto.h> /* krb5_klog_syslog */ #include <stdio.h> #include <errno.h> @@ -11,19 +12,19 @@ #define GETSOCKNAME_ARG3_TYPE int #endif -#define RFC3244_VERSION 0xff80 +#define RFC3244_VERSION 0xff80 krb5_error_code process_chpw_request(context, server_handle, realm, keytab, - local_faddr, remote_faddr, req, rep) - krb5_context context; - void *server_handle; - char *realm; - krb5_keytab keytab; - krb5_fulladdr *local_faddr; - krb5_fulladdr *remote_faddr; - krb5_data *req; - krb5_data *rep; + local_faddr, remote_faddr, req, rep) + krb5_context context; + void *server_handle; + char *realm; + krb5_keytab keytab; + krb5_fulladdr *local_faddr; + krb5_fulladdr *remote_faddr; + krb5_data *req; + krb5_data *rep; { krb5_error_code ret; char *ptr; @@ -58,12 +59,12 @@ process_chpw_request(context, server_handle, realm, keytab, cipher.length = 0; if (req->length < 4) { - /* either this, or the server is printing bad messages, - or the caller passed in garbage */ - ret = KRB5KRB_AP_ERR_MODIFIED; - numresult = KRB5_KPASSWD_MALFORMED; - strlcpy(strresult, "Request was truncated", sizeof(strresult)); - goto chpwfail; + /* either this, or the server is printing bad messages, + or the caller passed in garbage */ + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated", sizeof(strresult)); + goto chpwfail; } ptr = req->data; @@ -74,7 +75,7 @@ process_chpw_request(context, server_handle, realm, keytab, plen = (plen<<8) | (*ptr++ & 0xff); if (plen != req->length) - return(KRB5KRB_AP_ERR_MODIFIED); + return(KRB5KRB_AP_ERR_MODIFIED); /* verify version number */ @@ -82,11 +83,11 @@ process_chpw_request(context, server_handle, realm, keytab, vno = (vno<<8) | (*ptr++ & 0xff); if (vno != 1 && vno != RFC3244_VERSION) { - ret = KRB5KDC_ERR_BAD_PVNO; - numresult = KRB5_KPASSWD_BAD_VERSION; - snprintf(strresult, sizeof(strresult), - "Request contained unknown protocol version number %d", vno); - goto chpwfail; + ret = KRB5KDC_ERR_BAD_PVNO; + numresult = KRB5_KPASSWD_BAD_VERSION; + snprintf(strresult, sizeof(strresult), + "Request contained unknown protocol version number %d", vno); + goto chpwfail; } /* read, check ap-req length */ @@ -95,11 +96,11 @@ process_chpw_request(context, server_handle, realm, keytab, ap_req.length = (ap_req.length<<8) | (*ptr++ & 0xff); if (ptr + ap_req.length >= req->data + req->length) { - ret = KRB5KRB_AP_ERR_MODIFIED; - numresult = KRB5_KPASSWD_MALFORMED; - strlcpy(strresult, "Request was truncated in AP-REQ", - sizeof(strresult)); - goto chpwfail; + ret = KRB5KRB_AP_ERR_MODIFIED; + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Request was truncated in AP-REQ", + sizeof(strresult)); + goto chpwfail; } /* verify ap_req */ @@ -109,38 +110,38 @@ process_chpw_request(context, server_handle, realm, keytab, ret = krb5_auth_con_init(context, &auth_context); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed initializing auth context", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed initializing auth context", + sizeof(strresult)); + goto chpwfail; } ret = krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); + KRB5_AUTH_CONTEXT_DO_SEQUENCE); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed initializing auth context", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed initializing auth context", + sizeof(strresult)); + goto chpwfail; } - + ret = krb5_build_principal(context, &changepw, strlen(realm), realm, - "kadmin", "changepw", NULL); + "kadmin", "changepw", NULL); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed building kadmin/changepw principal", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed building kadmin/changepw principal", + sizeof(strresult)); + goto chpwfail; } ret = krb5_rd_req(context, &auth_context, &ap_req, changepw, keytab, - NULL, &ticket); + NULL, &ticket); if (ret) { - numresult = KRB5_KPASSWD_AUTHERROR; - strlcpy(strresult, "Failed reading application request", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_AUTHERROR; + strlcpy(strresult, "Failed reading application request", + sizeof(strresult)); + goto chpwfail; } /* mk_priv requires that the local address be set. @@ -158,22 +159,22 @@ process_chpw_request(context, server_handle, realm, keytab, is specified. Are we having fun yet? */ ret = krb5_auth_con_setaddrs(context, auth_context, NULL, - remote_faddr->address); + remote_faddr->address); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed storing client internet address", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed storing client internet address", + sizeof(strresult)); + goto chpwfail; } /* construct the ap-rep */ ret = krb5_mk_rep(context, auth_context, &ap_rep); if (ret) { - numresult = KRB5_KPASSWD_AUTHERROR; - strlcpy(strresult, "Failed replying to application request", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_AUTHERROR; + strlcpy(strresult, "Failed replying to application request", + sizeof(strresult)); + goto chpwfail; } /* decrypt the ChangePasswdData */ @@ -183,57 +184,57 @@ process_chpw_request(context, server_handle, realm, keytab, ret = krb5_rd_priv(context, auth_context, &cipher, &clear, &replay); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed decrypting request", sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed decrypting request", sizeof(strresult)); + goto chpwfail; } client = ticket->enc_part2->client; /* decode ChangePasswdData for setpw requests */ if (vno == RFC3244_VERSION) { - krb5_data *clear_data; - - ret = decode_krb5_setpw_req(&clear, &clear_data, &target); - if (ret != 0) { - numresult = KRB5_KPASSWD_MALFORMED; - strlcpy(strresult, "Failed decoding ChangePasswdData", - sizeof(strresult)); - goto chpwfail; - } - - memset(clear.data, 0, clear.length); - free(clear.data); - - clear = *clear_data; - free(clear_data); - - if (target != NULL) { - ret = krb5_unparse_name(context, target, &targetstr); - if (ret != 0) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed unparsing target name for log", - sizeof(strresult)); - goto chpwfail; - } - } + krb5_data *clear_data; + + ret = decode_krb5_setpw_req(&clear, &clear_data, &target); + if (ret != 0) { + numresult = KRB5_KPASSWD_MALFORMED; + strlcpy(strresult, "Failed decoding ChangePasswdData", + sizeof(strresult)); + goto chpwfail; + } + + memset(clear.data, 0, clear.length); + free(clear.data); + + clear = *clear_data; + free(clear_data); + + if (target != NULL) { + ret = krb5_unparse_name(context, target, &targetstr); + if (ret != 0) { + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed unparsing target name for log", + sizeof(strresult)); + goto chpwfail; + } + } } ret = krb5_unparse_name(context, client, &clientstr); if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed unparsing client name for log", - sizeof(strresult)); - goto chpwfail; + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed unparsing client name for log", + sizeof(strresult)); + goto chpwfail; } /* for cpw, verify that this is an AS_REQ ticket */ if (vno == 1 && - (ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) { - numresult = KRB5_KPASSWD_INITIAL_FLAG_NEEDED; - strlcpy(strresult, "Ticket must be derived from a password", - sizeof(strresult)); - goto chpwfail; + (ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) { + numresult = KRB5_KPASSWD_INITIAL_FLAG_NEEDED; + strlcpy(strresult, "Ticket must be derived from a password", + sizeof(strresult)); + goto chpwfail; } /* change the password */ @@ -243,10 +244,10 @@ process_chpw_request(context, server_handle, realm, keytab, ptr[clear.length] = '\0'; ret = schpw_util_wrapper(server_handle, client, target, - (ticket->enc_part2->flags & TKT_FLG_INITIAL) != 0, - ptr, NULL, strresult, sizeof(strresult)); + (ticket->enc_part2->flags & TKT_FLG_INITIAL) != 0, + ptr, NULL, strresult, sizeof(strresult)); if (ret) - errmsg = krb5_get_error_message(context, ret); + errmsg = krb5_get_error_message(context, ret); /* zap the password */ memset(clear.data, 0, clear.length); @@ -260,81 +261,81 @@ process_chpw_request(context, server_handle, realm, keytab, switch (addr->addrtype) { case ADDRTYPE_INET: { - struct sockaddr_in *sin = ss2sin(&ss); + struct sockaddr_in *sin = ss2sin(&ss); - sin->sin_family = AF_INET; - memcpy(&sin->sin_addr, addr->contents, addr->length); - sin->sin_port = htons(remote_faddr->port); - salen = sizeof(*sin); - break; + sin->sin_family = AF_INET; + memcpy(&sin->sin_addr, addr->contents, addr->length); + sin->sin_port = htons(remote_faddr->port); + salen = sizeof(*sin); + break; } case ADDRTYPE_INET6: { - struct sockaddr_in6 *sin6 = ss2sin6(&ss); + struct sockaddr_in6 *sin6 = ss2sin6(&ss); - sin6->sin6_family = AF_INET6; - memcpy(&sin6->sin6_addr, addr->contents, addr->length); - sin6->sin6_port = htons(remote_faddr->port); - salen = sizeof(*sin6); - break; + sin6->sin6_family = AF_INET6; + memcpy(&sin6->sin6_addr, addr->contents, addr->length); + sin6->sin6_port = htons(remote_faddr->port); + salen = sizeof(*sin6); + break; } default: { - struct sockaddr *sa = ss2sa(&ss); + struct sockaddr *sa = ss2sa(&ss); - sa->sa_family = AF_UNSPEC; - salen = sizeof(*sa); - break; + sa->sa_family = AF_UNSPEC; + salen = sizeof(*sa); + break; } } if (getnameinfo(ss2sa(&ss), salen, - addrbuf, sizeof(addrbuf), NULL, 0, - NI_NUMERICHOST | NI_NUMERICSERV) != 0) - strlcpy(addrbuf, "<unprintable>", sizeof(addrbuf)); + addrbuf, sizeof(addrbuf), NULL, 0, + NI_NUMERICHOST | NI_NUMERICSERV) != 0) + strlcpy(addrbuf, "<unprintable>", sizeof(addrbuf)); if (vno == RFC3244_VERSION) { - size_t tlen; - char *tdots; - const char *targetp; - - if (target == NULL) { - tlen = clen; - tdots = cdots; - targetp = targetstr; - } else { - tlen = strlen(targetstr); - trunc_name(&tlen, &tdots); - targetp = clientstr; - } - - krb5_klog_syslog(LOG_NOTICE, "setpw request from %s by %.*s%s for %.*s%s: %s", - addrbuf, - (int) clen, clientstr, cdots, - (int) tlen, targetp, tdots, - errmsg ? errmsg : "success"); + size_t tlen; + char *tdots; + const char *targetp; + + if (target == NULL) { + tlen = clen; + tdots = cdots; + targetp = targetstr; + } else { + tlen = strlen(targetstr); + trunc_name(&tlen, &tdots); + targetp = clientstr; + } + + krb5_klog_syslog(LOG_NOTICE, "setpw request from %s by %.*s%s for %.*s%s: %s", + addrbuf, + (int) clen, clientstr, cdots, + (int) tlen, targetp, tdots, + errmsg ? errmsg : "success"); } else { - krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", - addrbuf, - (int) clen, clientstr, cdots, - errmsg ? errmsg : "success"); + krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", + addrbuf, + (int) clen, clientstr, cdots, + errmsg ? errmsg : "success"); } switch (ret) { case KADM5_AUTH_CHANGEPW: - numresult = KRB5_KPASSWD_ACCESSDENIED; - break; + numresult = KRB5_KPASSWD_ACCESSDENIED; + break; case KADM5_PASS_Q_TOOSHORT: case KADM5_PASS_REUSE: case KADM5_PASS_Q_CLASS: case KADM5_PASS_Q_DICT: case KADM5_PASS_TOOSOON: - numresult = KRB5_KPASSWD_HARDERROR; - break; + numresult = KRB5_KPASSWD_HARDERROR; + break; case 0: - numresult = KRB5_KPASSWD_SUCCESS; - strlcpy(strresult, "", sizeof(strresult)); - break; + numresult = KRB5_KPASSWD_SUCCESS; + strlcpy(strresult, "", sizeof(strresult)); + break; default: - numresult = KRB5_KPASSWD_SOFTERROR; - break; + numresult = KRB5_KPASSWD_SOFTERROR; + break; } chpwfail: @@ -352,66 +353,66 @@ chpwfail: cipher.length = 0; if (ap_rep.length) { - ret = krb5_auth_con_setaddrs(context, auth_context, - local_faddr->address, NULL); - if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, - "Failed storing client and server internet addresses", - sizeof(strresult)); - } else { - ret = krb5_mk_priv(context, auth_context, &clear, &cipher, - &replay); - if (ret) { - numresult = KRB5_KPASSWD_HARDERROR; - strlcpy(strresult, "Failed encrypting reply", - sizeof(strresult)); - } - } + ret = krb5_auth_con_setaddrs(context, auth_context, + local_faddr->address, NULL); + if (ret) { + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, + "Failed storing client and server internet addresses", + sizeof(strresult)); + } else { + ret = krb5_mk_priv(context, auth_context, &clear, &cipher, + &replay); + if (ret) { + numresult = KRB5_KPASSWD_HARDERROR; + strlcpy(strresult, "Failed encrypting reply", + sizeof(strresult)); + } + } } /* if no KRB-PRIV was constructed, then we need a KRB-ERROR. if this fails, just bail. there's nothing else we can do. */ if (cipher.length == 0) { - /* clear out ap_rep now, so that it won't be inserted in the + /* clear out ap_rep now, so that it won't be inserted in the reply */ - if (ap_rep.length) { - free(ap_rep.data); - ap_rep.length = 0; - } - - krberror.ctime = 0; - krberror.cusec = 0; - krberror.susec = 0; - ret = krb5_timeofday(context, &krberror.stime); - if (ret) - goto bailout; - - /* this is really icky. but it's what all the other callers - to mk_error do. */ - krberror.error = ret; - krberror.error -= ERROR_TABLE_BASE_krb5; - if (krberror.error < 0 || krberror.error > 128) - krberror.error = KRB_ERR_GENERIC; - - krberror.client = NULL; - - ret = krb5_build_principal(context, &krberror.server, - strlen(realm), realm, - "kadmin", "changepw", NULL); - if (ret) - goto bailout; - krberror.text.length = 0; - krberror.e_data = clear; - - ret = krb5_mk_error(context, &krberror, &cipher); - - krb5_free_principal(context, krberror.server); - - if (ret) - goto bailout; + if (ap_rep.length) { + free(ap_rep.data); + ap_rep.length = 0; + } + + krberror.ctime = 0; + krberror.cusec = 0; + krberror.susec = 0; + ret = krb5_timeofday(context, &krberror.stime); + if (ret) + goto bailout; + + /* this is really icky. but it's what all the other callers + to mk_error do. */ + krberror.error = ret; + krberror.error -= ERROR_TABLE_BASE_krb5; + if (krberror.error < 0 || krberror.error > 128) + krberror.error = KRB_ERR_GENERIC; + + krberror.client = NULL; + + ret = krb5_build_principal(context, &krberror.server, + strlen(realm), realm, + "kadmin", "changepw", NULL); + if (ret) + goto bailout; + krberror.text.length = 0; + krberror.e_data = clear; + + ret = krb5_mk_error(context, &krberror, &cipher); + + krb5_free_principal(context, krberror.server); + + if (ret) + goto bailout; } /* construct the reply */ @@ -419,9 +420,9 @@ chpwfail: rep->length = 6 + ap_rep.length + cipher.length; rep->data = (char *) malloc(rep->length); if (rep->data == NULL) { - rep->length = 0; /* checked by caller */ - ret = ENOMEM; - goto bailout; + rep->length = 0; /* checked by caller */ + ret = ENOMEM; + goto bailout; } ptr = rep->data; @@ -443,8 +444,8 @@ chpwfail: /* ap-rep data */ if (ap_rep.length) { - memcpy(ptr, ap_rep.data, ap_rep.length); - ptr += ap_rep.length; + memcpy(ptr, ap_rep.data, ap_rep.length); + ptr += ap_rep.length; } /* krb-priv or krb-error */ @@ -453,25 +454,25 @@ chpwfail: bailout: if (auth_context) - krb5_auth_con_free(context, auth_context); + krb5_auth_con_free(context, auth_context); if (changepw) - krb5_free_principal(context, changepw); + krb5_free_principal(context, changepw); if (ap_rep.length) - free(ap_rep.data); + free(ap_rep.data); if (ticket) - krb5_free_ticket(context, ticket); + krb5_free_ticket(context, ticket); if (clear.length) - free(clear.data); + free(clear.data); if (cipher.length) - free(cipher.data); + free(cipher.data); if (target) - krb5_free_principal(context, target); + krb5_free_principal(context, target); if (targetstr) - krb5_free_unparsed_name(context, targetstr); + krb5_free_unparsed_name(context, targetstr); if (clientstr) - krb5_free_unparsed_name(context, clientstr); + krb5_free_unparsed_name(context, clientstr); if (errmsg) - krb5_free_error_message(context, errmsg); + krb5_free_error_message(context, errmsg); return(ret); } diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index 9449fe8c22..29a8805eeb 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved * @@ -17,21 +18,21 @@ #include <string.h> #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" -#define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" +#define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" -extern gss_name_t gss_changepw_name; -extern gss_name_t gss_oldchangepw_name; -extern void * global_server_handle; +extern gss_name_t gss_changepw_name; +extern gss_name_t gss_oldchangepw_name; +extern void * global_server_handle; -#define CHANGEPW_SERVICE(rqstp) \ - (cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), gss_changepw_name) |\ - (gss_oldchangepw_name && \ - cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), \ - gss_oldchangepw_name))) +#define CHANGEPW_SERVICE(rqstp) \ + (cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), gss_changepw_name) | \ + (gss_oldchangepw_name && \ + cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), \ + gss_oldchangepw_name))) static int gss_to_krb5_name(kadm5_server_handle_t handle, - gss_name_t gss_name, krb5_principal *princ); + gss_name_t gss_name, krb5_principal *princ); static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str); @@ -41,25 +42,25 @@ gss_name_t rqst2name(struct svc_req *rqstp); static int cmp_gss_names(gss_name_t n1, gss_name_t n2) { - OM_uint32 emaj, emin; - int equal; + OM_uint32 emaj, emin; + int equal; - if (GSS_ERROR(emaj = gss_compare_name(&emin, n1, n2, &equal))) - return(0); + if (GSS_ERROR(emaj = gss_compare_name(&emin, n1, n2, &equal))) + return(0); - return(equal); + return(equal); } /* Does a comparison of the names and then releases the first entity */ /* For use above in CHANGEPW_SERVICE */ static int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2) { - OM_uint32 min_stat; - int ret; + OM_uint32 min_stat; + int ret; - ret = cmp_gss_names(n1, n2); - if (n1) (void) gss_release_name(&min_stat, &n1); - return ret; + ret = cmp_gss_names(n1, n2); + if (n1) (void) gss_release_name(&min_stat, &n1); + return ret; } /* @@ -70,13 +71,13 @@ static int cmp_gss_names_rel_1(gss_name_t n1, gss_name_t n2) * * Arguments: * - * handle The server handle. + * handle The server handle. */ static int check_handle(void *handle) { - CHECK_HANDLE(handle); - return 0; + CHECK_HANDLE(handle); + return 0; } /* @@ -88,45 +89,45 @@ static int check_handle(void *handle) * kadm5_init. * * Arguments: - * api_version (input) The API version specified by the client - * rqstp (input) The RPC request - * handle (output) The returned handle - * <return value> (output) An error code, or 0 if no error occurred - * + * api_version (input) The API version specified by the client + * rqstp (input) The RPC request + * handle (output) The returned handle + * <return value> (output) An error code, or 0 if no error occurred + * * Effects: - * Returns a pointer to allocated storage containing the server - * handle. If an error occurs, then no allocated storage is - * returned, and the return value of the function will be a - * non-zero com_err code. - * + * Returns a pointer to allocated storage containing the server + * handle. If an error occurs, then no allocated storage is + * returned, and the return value of the function will be a + * non-zero com_err code. + * * The allocated storage for the handle should be freed with - * free_server_handle (see below) when it is no longer needed. + * free_server_handle (see below) when it is no longer needed. */ static kadm5_ret_t new_server_handle(krb5_ui_4 api_version, - struct svc_req *rqstp, - kadm5_server_handle_t - *out_handle) + struct svc_req *rqstp, + kadm5_server_handle_t + *out_handle) { - kadm5_server_handle_t handle; + kadm5_server_handle_t handle; - *out_handle = NULL; + *out_handle = NULL; - if (! (handle = (kadm5_server_handle_t) - malloc(sizeof(*handle)))) - return ENOMEM; + if (! (handle = (kadm5_server_handle_t) + malloc(sizeof(*handle)))) + return ENOMEM; - *handle = *(kadm5_server_handle_t)global_server_handle; - handle->api_version = api_version; + *handle = *(kadm5_server_handle_t)global_server_handle; + handle->api_version = api_version; - if (! gss_to_krb5_name(handle, rqst2name(rqstp), - &handle->current_caller)) { - free(handle); - return KADM5_FAILURE; - } + if (! gss_to_krb5_name(handle, rqst2name(rqstp), + &handle->current_caller)) { + free(handle); + return KADM5_FAILURE; + } - *out_handle = handle; - return 0; + *out_handle = handle; + return 0; } /* @@ -135,14 +136,14 @@ static kadm5_ret_t new_server_handle(krb5_ui_4 api_version, * Purpose: Free handle memory allocated by new_server_handle * * Arguments: - * handle (input/output) The handle to free + * handle (input/output) The handle to free */ static void free_server_handle(kadm5_server_handle_t handle) { - if (!handle) - return; - krb5_free_principal(handle->context, handle->current_caller); - free(handle); + if (!handle) + return; + krb5_free_principal(handle->context, handle->current_caller); + free(handle); } /* @@ -152,9 +153,9 @@ static void free_server_handle(kadm5_server_handle_t handle) * names. * * Arguments: - * rqstp (r) the RPC request - * client_name (w) the gss_buffer_t for the client name - * server_name (w) the gss_buffer_t for the server name + * rqstp (r) the RPC request + * client_name (w) the gss_buffer_t for the client name + * server_name (w) the gss_buffer_t for the server name * * Effects: * @@ -163,82 +164,82 @@ static void free_server_handle(kadm5_server_handle_t handle) * on success and -1 on failure. */ int setup_gss_names(struct svc_req *rqstp, - gss_buffer_desc *client_name, - gss_buffer_desc *server_name) + gss_buffer_desc *client_name, + gss_buffer_desc *server_name) { - OM_uint32 maj_stat, min_stat; - gss_name_t server_gss_name; - - if (gss_name_to_string(rqst2name(rqstp), client_name) != 0) - return -1; - maj_stat = gss_inquire_context(&min_stat, rqstp->rq_svccred, NULL, - &server_gss_name, NULL, NULL, NULL, - NULL, NULL); - if (maj_stat != GSS_S_COMPLETE) { - gss_release_buffer(&min_stat, client_name); - gss_release_name(&min_stat, &server_gss_name); - return -1; - } - if (gss_name_to_string(server_gss_name, server_name) != 0) { - gss_release_buffer(&min_stat, client_name); - gss_release_name(&min_stat, &server_gss_name); - return -1; - } - gss_release_name(&min_stat, &server_gss_name); - return 0; + OM_uint32 maj_stat, min_stat; + gss_name_t server_gss_name; + + if (gss_name_to_string(rqst2name(rqstp), client_name) != 0) + return -1; + maj_stat = gss_inquire_context(&min_stat, rqstp->rq_svccred, NULL, + &server_gss_name, NULL, NULL, NULL, + NULL, NULL); + if (maj_stat != GSS_S_COMPLETE) { + gss_release_buffer(&min_stat, client_name); + gss_release_name(&min_stat, &server_gss_name); + return -1; + } + if (gss_name_to_string(server_gss_name, server_name) != 0) { + gss_release_buffer(&min_stat, client_name); + gss_release_name(&min_stat, &server_gss_name); + return -1; + } + gss_release_name(&min_stat, &server_gss_name); + return 0; } static gss_name_t acceptor_name(gss_ctx_id_t context) { - OM_uint32 maj_stat, min_stat; - gss_name_t name; - - maj_stat = gss_inquire_context(&min_stat, context, NULL, &name, - NULL, NULL, NULL, NULL, NULL); - if (maj_stat != GSS_S_COMPLETE) - return NULL; - return name; + OM_uint32 maj_stat, min_stat; + gss_name_t name; + + maj_stat = gss_inquire_context(&min_stat, context, NULL, &name, + NULL, NULL, NULL, NULL, NULL); + if (maj_stat != GSS_S_COMPLETE) + return NULL; + return name; } - + static int cmp_gss_krb5_name(kadm5_server_handle_t handle, - gss_name_t gss_name, krb5_principal princ) + gss_name_t gss_name, krb5_principal princ) { - krb5_principal princ2; - int status; - - if (! gss_to_krb5_name(handle, gss_name, &princ2)) - return 0; - status = krb5_principal_compare(handle->context, princ, princ2); - krb5_free_principal(handle->context, princ2); - return status; + krb5_principal princ2; + int status; + + if (! gss_to_krb5_name(handle, gss_name, &princ2)) + return 0; + status = krb5_principal_compare(handle->context, princ, princ2); + krb5_free_principal(handle->context, princ2); + return status; } static int gss_to_krb5_name(kadm5_server_handle_t handle, - gss_name_t gss_name, krb5_principal *princ) + gss_name_t gss_name, krb5_principal *princ) { - OM_uint32 status, minor_stat; - gss_buffer_desc gss_str; - gss_OID gss_type; - int success; - - status = gss_display_name(&minor_stat, gss_name, &gss_str, &gss_type); - if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) - return 0; - success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0); - gss_release_buffer(&minor_stat, &gss_str); - return success; + OM_uint32 status, minor_stat; + gss_buffer_desc gss_str; + gss_OID gss_type; + int success; + + status = gss_display_name(&minor_stat, gss_name, &gss_str, &gss_type); + if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) + return 0; + success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0); + gss_release_buffer(&minor_stat, &gss_str); + return success; } static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str) { - OM_uint32 status, minor_stat; - gss_OID gss_type; + OM_uint32 status, minor_stat; + gss_OID gss_type; - status = gss_display_name(&minor_stat, gss_name, str, &gss_type); - if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) - return 1; - return 0; + status = gss_display_name(&minor_stat, gss_name, str, &gss_type); + if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name)) + return 1; + return 0; } static int @@ -261,12 +262,12 @@ log_unauth( /* okay to cast lengths to int because trunc_name limits max value */ return krb5_klog_syslog(LOG_NOTICE, - "Unauthorized request: %s, %.*s%s, " - "client=%.*s%s, service=%.*s%s, addr=%s", - op, (int)tlen, target, tdots, - (int)clen, (char *)client->value, cdots, - (int)slen, (char *)server->value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + "Unauthorized request: %s, %.*s%s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + op, (int)tlen, target, tdots, + (int)clen, (char *)client->value, cdots, + (int)slen, (char *)server->value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } static int @@ -290,72 +291,72 @@ log_done( /* okay to cast lengths to int because trunc_name limits max value */ return krb5_klog_syslog(LOG_NOTICE, - "Request: %s, %.*s%s, %s, " - "client=%.*s%s, service=%.*s%s, addr=%s", - op, (int)tlen, target, tdots, errmsg, - (int)clen, (char *)client->value, cdots, - (int)slen, (char *)server->value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + "Request: %s, %.*s%s, %s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + op, (int)tlen, target, tdots, errmsg, + (int)clen, (char *)client->value, cdots, + (int)slen, (char *)server->value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } generic_ret * create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, - arg->rec.principal, &rp) - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; - log_unauth("kadm5_create_principal", prime_arg, - &client_name, &service_name, rqstp); + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, + arg->rec.principal, &rp) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; + log_unauth("kadm5_create_principal", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_create_principal((void *)handle, - &arg->rec, arg->mask, - arg->passwd); + ret.code = kadm5_create_principal((void *)handle, + &arg->rec, arg->mask, + arg->passwd); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_create_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_create_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); - exit_func: +exit_func: free_server_handle(handle); return &ret; } @@ -363,56 +364,56 @@ create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) generic_ret * create_principal3_2_svc(cprinc3_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, - arg->rec.principal, &rp) - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; - log_unauth("kadm5_create_principal", prime_arg, - &client_name, &service_name, rqstp); + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, + arg->rec.principal, &rp) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; + log_unauth("kadm5_create_principal", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_create_principal_3((void *)handle, - &arg->rec, arg->mask, - arg->n_ks_tuple, - arg->ks_tuple, - arg->passwd); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - log_done("kadm5_create_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_create_principal_3((void *)handle, + &arg->rec, arg->mask, + arg->n_ks_tuple, + arg->ks_tuple, + arg->passwd); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done("kadm5_create_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); @@ -426,50 +427,50 @@ exit_func: generic_ret * delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } - + if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, - arg->princ, NULL)) { - ret.code = KADM5_AUTH_DELETE; - log_unauth("kadm5_delete_principal", prime_arg, - &client_name, &service_name, rqstp); + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_DELETE; + log_unauth("kadm5_delete_principal", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_delete_principal((void *)handle, arg->princ); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_delete_principal((void *)handle, arg->princ); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_delete_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_delete_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -484,52 +485,52 @@ exit_func: generic_ret * modify_principal_2_svc(mprinc_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, - arg->rec.principal, &rp) - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_MODIFY; - log_unauth("kadm5_modify_principal", prime_arg, - &client_name, &service_name, rqstp); + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, + arg->rec.principal, &rp) + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_MODIFY; + log_unauth("kadm5_modify_principal", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_modify_principal((void *)handle, &arg->rec, - arg->mask); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_modify_principal((void *)handle, &arg->rec, + arg->mask); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_modify_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_modify_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); @@ -542,34 +543,34 @@ exit_func: generic_ret * rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg1, - *prime_arg2; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - restriction_t *rp; - const char *errmsg = NULL; - size_t tlen1, tlen2, clen, slen; - char *tdots1, *tdots2, *cdots, *sdots; + static generic_ret ret; + char *prime_arg1, + *prime_arg2; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + const char *errmsg = NULL; + size_t tlen1, tlen2, clen, slen; + char *tdots1, *tdots2, *cdots, *sdots; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->src, &prime_arg1) || krb5_unparse_name(handle->context, arg->dest, &prime_arg2)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } tlen1 = strlen(prime_arg1); trunc_name(&tlen1, &tdots1); @@ -582,54 +583,54 @@ rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp) ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { - if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_DELETE, arg->src, NULL)) - ret.code = KADM5_AUTH_DELETE; - /* any restrictions at all on the ADD kills the RENAME */ - if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_ADD, arg->dest, &rp) || rp) { - if (ret.code == KADM5_AUTH_DELETE) - ret.code = KADM5_AUTH_INSUFFICIENT; - else - ret.code = KADM5_AUTH_ADD; - } + if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_DELETE, arg->src, NULL)) + ret.code = KADM5_AUTH_DELETE; + /* any restrictions at all on the ADD kills the RENAME */ + if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_ADD, arg->dest, &rp) || rp) { + if (ret.code == KADM5_AUTH_DELETE) + ret.code = KADM5_AUTH_INSUFFICIENT; + else + ret.code = KADM5_AUTH_ADD; + } } else - ret.code = KADM5_AUTH_INSUFFICIENT; + ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { - /* okay to cast lengths to int because trunc_name limits max value */ - krb5_klog_syslog(LOG_NOTICE, - "Unauthorized request: kadm5_rename_principal, " - "%.*s%s to %.*s%s, " - "client=%.*s%s, service=%.*s%s, addr=%s", - (int)tlen1, prime_arg1, tdots1, - (int)tlen2, prime_arg2, tdots2, - (int)clen, (char *)client_name.value, cdots, - (int)slen, (char *)service_name.value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + /* okay to cast lengths to int because trunc_name limits max value */ + krb5_klog_syslog(LOG_NOTICE, + "Unauthorized request: kadm5_rename_principal, " + "%.*s%s to %.*s%s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + (int)tlen1, prime_arg1, tdots1, + (int)tlen2, prime_arg2, tdots2, + (int)clen, (char *)client_name.value, cdots, + (int)slen, (char *)service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { - ret.code = kadm5_rename_principal((void *)handle, arg->src, - arg->dest); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - /* okay to cast lengths to int because trunc_name limits max value */ - krb5_klog_syslog(LOG_NOTICE, - "Request: kadm5_rename_principal, " - "%.*s%s to %.*s%s, %s, " - "client=%.*s%s, service=%.*s%s, addr=%s", - (int)tlen1, prime_arg1, tdots1, - (int)tlen2, prime_arg2, tdots2, - errmsg ? errmsg : "success", - (int)clen, (char *)client_name.value, cdots, - (int)slen, (char *)service_name.value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + /* okay to cast lengths to int because trunc_name limits max value */ + krb5_klog_syslog(LOG_NOTICE, + "Request: kadm5_rename_principal, " + "%.*s%s to %.*s%s, %s, " + "client=%.*s%s, service=%.*s%s, addr=%s", + (int)tlen1, prime_arg1, tdots1, + (int)tlen2, prime_arg2, tdots2, + errmsg ? errmsg : "success", + (int)clen, (char *)client_name.value, cdots, + (int)slen, (char *)service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg1); - free(prime_arg2); + free(prime_arg2); gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); exit_func: @@ -640,56 +641,56 @@ exit_func: gprinc_ret * get_principal_2_svc(gprinc_arg *arg, struct svc_req *rqstp) { - static gprinc_ret ret; - char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static gprinc_ret ret; + char *prime_arg, *funcname; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_gprinc_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; funcname = "kadm5_get_principal"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && - (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_INQUIRE, - arg->princ, - NULL))) { - ret.code = KADM5_AUTH_GET; - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); + (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_INQUIRE, + arg->princ, + NULL))) { + ret.code = KADM5_AUTH_GET; + log_unauth(funcname, prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_get_principal(handle, arg->princ, &ret.rec, - arg->mask); - - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_get_principal(handle, arg->princ, &ret.rec, + arg->mask); - log_done(funcname, prime_arg, errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + log_done(funcname, prime_arg, errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); @@ -702,53 +703,53 @@ exit_func: gprincs_ret * get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) { - static gprincs_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static gprincs_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_gprincs_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->exp; if (prime_arg == NULL) - prime_arg = "*"; + prime_arg = "*"; if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_LIST, - NULL, - NULL)) { - ret.code = KADM5_AUTH_LIST; - log_unauth("kadm5_get_principals", prime_arg, - &client_name, &service_name, rqstp); + rqst2name(rqstp), + ACL_LIST, + NULL, + NULL)) { + ret.code = KADM5_AUTH_LIST; + log_unauth("kadm5_get_principals", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_get_principals((void *)handle, - arg->exp, &ret.princs, - &ret.count); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_get_principals((void *)handle, + arg->exp, &ret.princs, + &ret.count); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_get_principals", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_get_principals", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } gss_release_buffer(&minor_stat, &client_name); @@ -761,57 +762,57 @@ exit_func: generic_ret * chpass_principal_2_svc(chpass_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, - FALSE, 0, NULL, arg->pass); + ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, + FALSE, 0, NULL, arg->pass); } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret.code = kadm5_chpass_principal((void *)handle, arg->princ, - arg->pass); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_chpass_principal((void *)handle, arg->princ, + arg->pass); } else { - log_unauth("kadm5_chpass_principal", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; + log_unauth("kadm5_chpass_principal", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; } if (ret.code != KADM5_AUTH_CHANGEPW) { - if (ret.code != 0) - errmsg = krb5_get_error_message(handle->context, ret.code); + if (ret.code != 0) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_chpass_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_chpass_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -825,63 +826,63 @@ exit_func: generic_ret * chpass_principal3_2_svc(chpass3_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, - arg->keepold, - arg->n_ks_tuple, - arg->ks_tuple, - arg->pass); + ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + arg->pass); } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ, - arg->keepold, - arg->n_ks_tuple, - arg->ks_tuple, - arg->pass); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + arg->pass); } else { - log_unauth("kadm5_chpass_principal", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; + log_unauth("kadm5_chpass_principal", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; } if(ret.code != KADM5_AUTH_CHANGEPW) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_chpass_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_chpass_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -895,54 +896,54 @@ exit_func: generic_ret * setv4key_principal_2_svc(setv4key_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_SETKEY, arg->princ, NULL)) { - ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, - arg->keyblock); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_SETKEY, arg->princ, NULL)) { + ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, + arg->keyblock); } else { - log_unauth("kadm5_setv4key_principal", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; + log_unauth("kadm5_setv4key_principal", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; } if(ret.code != KADM5_AUTH_SETKEY) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_setv4key_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_setv4key_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -956,54 +957,54 @@ exit_func: generic_ret * setkey_principal_2_svc(setkey_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_SETKEY, arg->princ, NULL)) { - ret.code = kadm5_setkey_principal((void *)handle, arg->princ, - arg->keyblocks, arg->n_keys); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_SETKEY, arg->princ, NULL)) { + ret.code = kadm5_setkey_principal((void *)handle, arg->princ, + arg->keyblocks, arg->n_keys); } else { - log_unauth("kadm5_setkey_principal", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; + log_unauth("kadm5_setkey_principal", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; } if(ret.code != KADM5_AUTH_SETKEY) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_setkey_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_setkey_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -1017,57 +1018,57 @@ exit_func: generic_ret * setkey_principal3_2_svc(setkey3_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_SETKEY, arg->princ, NULL)) { - ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ, - arg->keepold, - arg->n_ks_tuple, - arg->ks_tuple, - arg->keyblocks, arg->n_keys); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_SETKEY, arg->princ, NULL)) { + ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + arg->keyblocks, arg->n_keys); } else { - log_unauth("kadm5_setkey_principal", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; + log_unauth("kadm5_setkey_principal", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; } if(ret.code != KADM5_AUTH_SETKEY) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_setkey_principal", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_setkey_principal", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); @@ -1081,66 +1082,66 @@ exit_func: chrand_ret * chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp) { - static chrand_ret ret; - krb5_keyblock *k; - int nkeys; - char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static chrand_ret ret; + krb5_keyblock *k; + int nkeys; + char *prime_arg, *funcname; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_chrand_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; funcname = "kadm5_randkey_principal"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, - FALSE, 0, NULL, &k, &nkeys); + ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, + FALSE, 0, NULL, &k, &nkeys); } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret.code = kadm5_randkey_principal((void *)handle, arg->princ, - &k, &nkeys); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_randkey_principal((void *)handle, arg->princ, + &k, &nkeys); } else { - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; + log_unauth(funcname, prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; } if(ret.code == KADM5_OK) { - ret.keys = k; - ret.n_keys = nkeys; + ret.keys = k; + ret.n_keys = nkeys; } if(ret.code != KADM5_AUTH_CHANGEPW) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done(funcname, prime_arg, errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done(funcname, prime_arg, errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); @@ -1153,71 +1154,71 @@ exit_func: chrand_ret * chrand_principal3_2_svc(chrand3_arg *arg, struct svc_req *rqstp) { - static chrand_ret ret; - krb5_keyblock *k; - int nkeys; - char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static chrand_ret ret; + krb5_keyblock *k; + int nkeys; + char *prime_arg, *funcname; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_chrand_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; funcname = "kadm5_randkey_principal"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) { - ret.code = KADM5_BAD_PRINCIPAL; - goto exit_func; + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; } if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, - arg->keepold, - arg->n_ks_tuple, - arg->ks_tuple, - &k, &nkeys); + ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + &k, &nkeys); } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ, - arg->keepold, - arg->n_ks_tuple, - arg->ks_tuple, - &k, &nkeys); + kadm5int_acl_check(handle->context, rqst2name(rqstp), + ACL_CHANGEPW, arg->princ, NULL)) { + ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, + &k, &nkeys); } else { - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; + log_unauth(funcname, prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; } if(ret.code == KADM5_OK) { - ret.keys = k; - ret.n_keys = nkeys; + ret.keys = k; + ret.n_keys = nkeys; } if(ret.code != KADM5_AUTH_CHANGEPW) { - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done(funcname, prime_arg, errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done(funcname, prime_arg, errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } free(prime_arg); gss_release_buffer(&minor_stat, &client_name); @@ -1230,50 +1231,50 @@ exit_func: generic_ret * create_policy_2_svc(cpol_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->rec.policy; if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_ADD, NULL, NULL)) { - ret.code = KADM5_AUTH_ADD; - log_unauth("kadm5_create_policy", prime_arg, - &client_name, &service_name, rqstp); + rqst2name(rqstp), + ACL_ADD, NULL, NULL)) { + ret.code = KADM5_AUTH_ADD; + log_unauth("kadm5_create_policy", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_create_policy((void *)handle, &arg->rec, - arg->mask); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - log_done("kadm5_create_policy", - ((prime_arg == NULL) ? "(null)" : prime_arg), - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_create_policy((void *)handle, &arg->rec, + arg->mask); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done("kadm5_create_policy", + ((prime_arg == NULL) ? "(null)" : prime_arg), + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); @@ -1285,48 +1286,48 @@ exit_func: generic_ret * delete_policy_2_svc(dpol_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->name; - + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_DELETE, NULL, NULL)) { - log_unauth("kadm5_delete_policy", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_DELETE; + rqst2name(rqstp), + ACL_DELETE, NULL, NULL)) { + log_unauth("kadm5_delete_policy", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_DELETE; } else { - ret.code = kadm5_delete_policy((void *)handle, arg->name); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_delete_policy((void *)handle, arg->name); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_delete_policy", - ((prime_arg == NULL) ? "(null)" : prime_arg), - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_delete_policy", + ((prime_arg == NULL) ? "(null)" : prime_arg), + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); @@ -1338,49 +1339,49 @@ exit_func: generic_ret * modify_policy_2_svc(mpol_arg *arg, struct svc_req *rqstp) { - static generic_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static generic_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_generic_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->rec.policy; if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_MODIFY, NULL, NULL)) { - log_unauth("kadm5_modify_policy", prime_arg, - &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_MODIFY; + rqst2name(rqstp), + ACL_MODIFY, NULL, NULL)) { + log_unauth("kadm5_modify_policy", prime_arg, + &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_MODIFY; } else { - ret.code = kadm5_modify_policy((void *)handle, &arg->rec, - arg->mask); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - log_done("kadm5_modify_policy", - ((prime_arg == NULL) ? "(null)" : prime_arg), - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_modify_policy((void *)handle, &arg->rec, + arg->mask); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done("kadm5_modify_policy", + ((prime_arg == NULL) ? "(null)" : prime_arg), + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); @@ -1389,74 +1390,74 @@ exit_func: return &ret; } -gpol_ret * +gpol_ret * get_policy_2_svc(gpol_arg *arg, struct svc_req *rqstp) { - static gpol_ret ret; - kadm5_ret_t ret2; - char *prime_arg, *funcname; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_principal_ent_rec caller_ent; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static gpol_ret ret; + kadm5_ret_t ret2; + char *prime_arg, *funcname; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_principal_ent_rec caller_ent; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_gpol_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; funcname = "kadm5_get_policy"; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->name; ret.code = KADM5_AUTH_GET; if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_INQUIRE, NULL, NULL)) - ret.code = KADM5_OK; + rqst2name(rqstp), + ACL_INQUIRE, NULL, NULL)) + ret.code = KADM5_OK; else { - ret.code = kadm5_get_principal(handle->lhandle, - handle->current_caller, - &caller_ent, - KADM5_PRINCIPAL_NORMAL_MASK); - if (ret.code == KADM5_OK) { - if (caller_ent.aux_attributes & KADM5_POLICY && - strcmp(caller_ent.policy, arg->name) == 0) { - ret.code = KADM5_OK; - } else ret.code = KADM5_AUTH_GET; - ret2 = kadm5_free_principal_ent(handle->lhandle, - &caller_ent); - ret.code = ret.code ? ret.code : ret2; - } - } - + ret.code = kadm5_get_principal(handle->lhandle, + handle->current_caller, + &caller_ent, + KADM5_PRINCIPAL_NORMAL_MASK); + if (ret.code == KADM5_OK) { + if (caller_ent.aux_attributes & KADM5_POLICY && + strcmp(caller_ent.policy, arg->name) == 0) { + ret.code = KADM5_OK; + } else ret.code = KADM5_AUTH_GET; + ret2 = kadm5_free_principal_ent(handle->lhandle, + &caller_ent); + ret.code = ret.code ? ret.code : ret2; + } + } + if (ret.code == KADM5_OK) { - ret.code = kadm5_get_policy(handle, arg->name, &ret.rec); - - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - log_done(funcname, - ((prime_arg == NULL) ? "(null)" : prime_arg), - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_get_policy(handle, arg->name, &ret.rec); + + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done(funcname, + ((prime_arg == NULL) ? "(null)" : prime_arg), + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } else { - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); + log_unauth(funcname, prime_arg, + &client_name, &service_name, rqstp); } gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); @@ -1469,51 +1470,51 @@ exit_func: gpols_ret * get_pols_2_svc(gpols_arg *arg, struct svc_req *rqstp) { - static gpols_ret ret; - char *prime_arg; - gss_buffer_desc client_name, - service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static gpols_ret ret; + char *prime_arg; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; xdr_free(xdr_gpols_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) - goto exit_func; + goto exit_func; if ((ret.code = check_handle((void *)handle))) - goto exit_func; + goto exit_func; ret.api_version = handle->api_version; if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; + ret.code = KADM5_FAILURE; + goto exit_func; } prime_arg = arg->exp; if (prime_arg == NULL) - prime_arg = "*"; + prime_arg = "*"; if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_LIST, NULL, NULL)) { - ret.code = KADM5_AUTH_LIST; - log_unauth("kadm5_get_policies", prime_arg, - &client_name, &service_name, rqstp); + rqst2name(rqstp), + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; + log_unauth("kadm5_get_policies", prime_arg, + &client_name, &service_name, rqstp); } else { - ret.code = kadm5_get_policies((void *)handle, - arg->exp, &ret.pols, - &ret.count); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); - - log_done("kadm5_get_policies", prime_arg, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); - - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + ret.code = kadm5_get_policies((void *)handle, + arg->exp, &ret.pols, + &ret.count); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); + + log_done("kadm5_get_policies", prime_arg, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); + + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); } gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); @@ -1524,104 +1525,104 @@ exit_func: getprivs_ret * get_privs_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) { - static getprivs_ret ret; - gss_buffer_desc client_name, service_name; - OM_uint32 minor_stat; - kadm5_server_handle_t handle; - const char *errmsg = NULL; + static getprivs_ret ret; + gss_buffer_desc client_name, service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + const char *errmsg = NULL; - xdr_free(xdr_getprivs_ret, &ret); + xdr_free(xdr_getprivs_ret, &ret); - if ((ret.code = new_server_handle(*arg, rqstp, &handle))) - goto exit_func; + if ((ret.code = new_server_handle(*arg, rqstp, &handle))) + goto exit_func; - if ((ret.code = check_handle((void *)handle))) - goto exit_func; + if ((ret.code = check_handle((void *)handle))) + goto exit_func; - ret.api_version = handle->api_version; + ret.api_version = handle->api_version; - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; - } + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto exit_func; + } - ret.code = kadm5_get_privs((void *)handle, &ret.privs); - if( ret.code != 0 ) - errmsg = krb5_get_error_message(handle->context, ret.code); + ret.code = kadm5_get_privs((void *)handle, &ret.privs); + if( ret.code != 0 ) + errmsg = krb5_get_error_message(handle->context, ret.code); - log_done("kadm5_get_privs", client_name.value, - errmsg ? errmsg : "success", - &client_name, &service_name, rqstp); + log_done("kadm5_get_privs", client_name.value, + errmsg ? errmsg : "success", + &client_name, &service_name, rqstp); - if (errmsg != NULL) - krb5_free_error_message(handle->context, errmsg); + if (errmsg != NULL) + krb5_free_error_message(handle->context, errmsg); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); exit_func: - free_server_handle(handle); - return &ret; + free_server_handle(handle); + return &ret; } generic_ret *init_2_svc(krb5_ui_4 *arg, struct svc_req *rqstp) { - static generic_ret ret; - gss_buffer_desc client_name, - service_name; - kadm5_server_handle_t handle; - OM_uint32 minor_stat; - const char *errmsg = NULL; - size_t clen, slen; - char *cdots, *sdots; - - xdr_free(xdr_generic_ret, &ret); - - if ((ret.code = new_server_handle(*arg, rqstp, &handle))) - goto exit_func; - if (! (ret.code = check_handle((void *)handle))) { - ret.api_version = handle->api_version; - } - - free_server_handle(handle); - - if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { - ret.code = KADM5_FAILURE; - goto exit_func; - } - - if (ret.code != 0) - errmsg = krb5_get_error_message(NULL, ret.code); - - clen = client_name.length; - trunc_name(&clen, &cdots); - slen = service_name.length; - trunc_name(&slen, &sdots); - /* okay to cast lengths to int because trunc_name limits max value */ - krb5_klog_syslog(LOG_NOTICE, "Request: kadm5_init, %.*s%s, %s, " - "client=%.*s%s, service=%.*s%s, addr=%s, " - "vers=%d, flavor=%d", - (int)clen, (char *)client_name.value, cdots, - errmsg ? errmsg : "success", - (int)clen, (char *)client_name.value, cdots, - (int)slen, (char *)service_name.value, sdots, - inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), - ret.api_version & ~(KADM5_API_VERSION_MASK), - rqstp->rq_cred.oa_flavor); - if (errmsg != NULL) - krb5_free_error_message(NULL, errmsg); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); - + static generic_ret ret; + gss_buffer_desc client_name, + service_name; + kadm5_server_handle_t handle; + OM_uint32 minor_stat; + const char *errmsg = NULL; + size_t clen, slen; + char *cdots, *sdots; + + xdr_free(xdr_generic_ret, &ret); + + if ((ret.code = new_server_handle(*arg, rqstp, &handle))) + goto exit_func; + if (! (ret.code = check_handle((void *)handle))) { + ret.api_version = handle->api_version; + } + + free_server_handle(handle); + + if (setup_gss_names(rqstp, &client_name, &service_name) < 0) { + ret.code = KADM5_FAILURE; + goto exit_func; + } + + if (ret.code != 0) + errmsg = krb5_get_error_message(NULL, ret.code); + + clen = client_name.length; + trunc_name(&clen, &cdots); + slen = service_name.length; + trunc_name(&slen, &sdots); + /* okay to cast lengths to int because trunc_name limits max value */ + krb5_klog_syslog(LOG_NOTICE, "Request: kadm5_init, %.*s%s, %s, " + "client=%.*s%s, service=%.*s%s, addr=%s, " + "vers=%d, flavor=%d", + (int)clen, (char *)client_name.value, cdots, + errmsg ? errmsg : "success", + (int)clen, (char *)client_name.value, cdots, + (int)slen, (char *)service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), + ret.api_version & ~(KADM5_API_VERSION_MASK), + rqstp->rq_cred.oa_flavor); + if (errmsg != NULL) + krb5_free_error_message(NULL, errmsg); + gss_release_buffer(&minor_stat, &client_name); + gss_release_buffer(&minor_stat, &service_name); + exit_func: - return(&ret); + return(&ret); } gss_name_t rqst2name(struct svc_req *rqstp) { - if (rqstp->rq_cred.oa_flavor == RPCSEC_GSS) - return rqstp->rq_clntname; - else - return rqstp->rq_clntcred; + if (rqstp->rq_cred.oa_flavor == RPCSEC_GSS) + return rqstp->rq_clntname; + else + return rqstp->rq_clntcred; } |