search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add comment.
[shishi.git] / src / shishid.c
blob4f6aead5f32f0b2609e06d869a66ea5045c9e741
1 /* shishid.c Shishi Key Distribution Center daemon.
2 * Copyright (C) 2002, 2003 Simon Josefsson
3 *
4 * This file is part of Shishi.
5 *
6 * Shishi is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * Shishi is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with Shishi; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 *
20 */
21
22 #if HAVE_CONFIG_H
23 #include "config.h"
24 #endif
25
26 #ifdef STDC_HEADERS
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <stdarg.h>
30 #include <ctype.h>
31 #endif
32
33 #ifdef HAVE_UNISTD_H
34 #include <unistd.h>
35 #endif
36
37 #ifdef HAVE_NETDB_H
38 #include <netdb.h>
39 #endif
40
41 #if defined HAVE_DECL_H_ERRNO && !HAVE_DECL_H_ERRNO
42 /* extern int h_errno; */
43 #endif
44
45 #ifdef HAVE_PWD_H
46 #include <pwd.h>
47 #endif
48
49 #ifdef HAVE_SYS_TYPES_H
50 #include <sys/types.h>
51 #endif
52
53 #ifdef HAVE_SYS_SELECT_H
54 #include <sys/select.h>
55 #endif
56
57 #ifdef HAVE_SYS_SOCKET_H
58 #include <sys/socket.h>
59 #endif
60
61 #ifdef HAVE_SYS_IOCTL_H
62 #include <sys/ioctl.h>
63 #endif
64
65 #ifdef HAVE_ERRNO_H
66 #include <errno.h>
67 #endif
68
69 #if HAVE_INTTYPES_H
70 # include <inttypes.h>
71 #else
72 # if HAVE_STDINT_H
73 # include <stdint.h>
74 # endif
75 #endif
76
77 #if TIME_WITH_SYS_TIME
78 # include <sys/time.h>
79 # include <time.h>
80 #else
81 # if HAVE_SYS_TIME_H
82 # include <sys/time.h>
83 # else
84 # include <time.h>
85 # endif
86 #endif
87
88 #if HAVE_STRING_H
89 # if !STDC_HEADERS && HAVE_MEMORY_H
90 # include <memory.h>
91 # endif
92 # include <string.h>
93 #endif
94 #if HAVE_STRINGS_H
95 # include <strings.h>
96 #endif
97
98 #ifdef HAVE_SIGNAL_H
99 #include <signal.h>
100 #endif
101
102 #ifdef HAVE_NETINET_IN_H
103 #include <netinet/in.h>
104 #endif
105 #ifdef HAVE_NETINET_IN6_H
106 #include <netinet/in6.h>
107 #endif
108
109 #ifdef HAVE_ARPA_INET_H
110 #include <arpa/inet.h>
111 #endif
112
113 #ifdef HAVE_SYSLOG_H
114 #include <syslog.h>
115 #endif
116
117 #ifdef ENABLE_NLS
118 extern char *_shishi_gettext (const char *str);
119 #define _(String) _shishi_gettext (String)
120 #define gettext_noop(String) String
121 #define N_(String) gettext_noop (String)
122 #endif
123
124 #include <shishi.h>
125 #include <argp.h>
126
127 #define FAMILY_IPV4 "IPv4"
128 #define FAMILY_IPV6 "IPv6"
129
130 #ifdef WITH_IPV6
131 #define LISTEN_DEFAULT FAMILY_IPV4 ":*:kerberos/udp, " \
132 FAMILY_IPV4 ":*:kerberos/tcp, " \
133 FAMILY_IPV6 ":*:kerberos/udp, " \
134 FAMILY_IPV6 ":*:kerberos/tcp"
135 #else
136 #define LISTEN_DEFAULT "*:kerberos/udp, *:kerberos/tcp"
137 #endif
138
139 struct listenspec
140 {
141 char *str;
142 int family;
143 struct sockaddr addr;
144 int port;
145 int type;
146 int sockfd;
147 char buf[BUFSIZ];
148 size_t bufpos;
149 };
150
151 struct arguments
152 {
153 int silent, verbose;
154 char *cfgfile;
155 char *setuid;
156 struct listenspec *listenspec;
157 int nlistenspec;
158 };
159
160 struct arguments arg;
161
162 const char *argp_program_version = PACKAGE_STRING;
163 const char *argp_program_bug_address = PACKAGE_BUGREPORT;
164
165 static error_t
166 parse_opt (int key, char *arg, struct argp_state *state)
167 {
168 struct arguments *arguments = state->input;
169 char *ptrptr;
170 char *val;
171 int i;
172
173 switch (key)
174 {
175 case 'q':
176 case 's':
177 arguments->silent = 1;
178 break;
179
180 case 'v':
181 arguments->verbose = 1;
182 break;
183
184 case 'c':
185 arguments->cfgfile = strdup (arg);
186 break;
187
188 case 'u':
189 arguments->setuid = strdup (arg);
190 break;
191
192 case ARGP_KEY_END:
193 if (arguments->nlistenspec > 0)
194 break;
195 arg = strdup (LISTEN_DEFAULT);
196 /* fall through */
197
198 case 'l':
199 for (i = 0; (val = strtok_r (i == 0 ? arg : NULL, ", \t", &ptrptr));
200 i++)
201 {
202 char *service, *proto;
203 struct servent *se;
204 struct hostent *he;
205 struct listenspec *ls;
206 struct sockaddr_in *sin;
207 #ifdef WITH_IPV6
208 struct sockaddr_in6 *sin6;
209 #endif
210
211 arguments->nlistenspec++;
212 arguments->listenspec = realloc (arguments->listenspec,
213 sizeof (*arguments->listenspec) *
214 arguments->nlistenspec);
215 if (arguments->listenspec == NULL)
216 argp_error (state, "Fatal memory allocation error");
217 ls = &arguments->listenspec[arguments->nlistenspec - 1];
218 ls->str = strdup (val);
219 ls->bufpos = 0;
220 sin = (struct sockaddr_in *) &ls->addr;
221 #ifdef WITH_IPV6
222 sin6 = (struct sockaddr_in6 *) &ls->addr;
223 #endif
224
225 proto = strrchr (val, '/');
226 if (proto == NULL)
227 argp_error (state, "Could not find type in listen spec: `%s'",
228 ls->str);
229 *proto = '\0';
230 proto++;
231
232 if (strcmp (proto, "tcp") == 0)
233 ls->type = SOCK_STREAM;
234 else
235 ls->type = SOCK_DGRAM;
236
237 service = strrchr (val, ':');
238 if (service == NULL)
239 argp_error (state, "Could not find service in listen spec: `%s'",
240 ls->str);
241 *service = '\0';
242 service++;
243
244 se = getservbyname (service, proto);
245 if (se)
246 ls->port = ntohs (se->s_port);
247 else if (strcmp (service, "kerberos") == 0)
248 ls->port = 88;
249 else if (atoi (service) != 0)
250 ls->port = atoi (service);
251 else
252 argp_error (state, "Unknown service `%s' in listen spec: `%s'",
253 service, ls->str);
254
255 #ifdef WITH_IPV6
256 if (ls->family == AF_INET6)
257 sin6->sin6_port = htons (ls->port);
258 else
259 #endif
260 sin->sin_port = htons (ls->port);
261
262 if (strncmp (val, FAMILY_IPV4 ":", strlen (FAMILY_IPV4 ":")) == 0)
263 {
264 ls->family = AF_INET;
265 val += strlen (FAMILY_IPV4 ":");
266 }
267 #ifdef WITH_IPV6
268 else if (strncmp (val, FAMILY_IPV6 ":", strlen (FAMILY_IPV6 ":")) ==
269 0)
270 {
271 ls->family = AF_INET6;
272 val += strlen (FAMILY_IPV6 ":");
273 }
274 #endif
275 else
276 ls->family = AF_INET;
277
278 if (strcmp (val, "*") == 0)
279 {
280 #ifdef WITH_IPV6
281 if (ls->family == AF_INET6)
282 sin6->sin6_addr = in6addr_any;
283 else
284 #endif
285 sin->sin_addr.s_addr = htonl (INADDR_ANY);
286 }
287 else if ((he = gethostbyname (val)))
288 {
289 if (he->h_addrtype == AF_INET)
290 {
291 sin->sin_family = AF_INET;
292 memcpy (&sin->sin_addr, he->h_addr_list[0], he->h_length);
293 }
294 #ifdef WITH_IPV6
295 else if (he->h_addrtype == AF_INET6)
296 {
297 sin6->sin6_family = AF_INET6;
298 memcpy (&sin6->sin6_addr, he->h_addr_list[0], he->h_length);
299 }
300 #endif
301 else
302 argp_error (state, "Unknown protocol family (%d) returned "
303 "by gethostbyname(\"%s\"): `%s'", he->h_addrtype,
304 val, ls->str);
305 }
306 else
307 argp_error (state, "Unknown host `%s' in listen spec: `%s'",
308 val, ls->str);
309
310 }
311 break;
312
313 case ARGP_KEY_ARG:
314 argp_error (state, "Too many arguments: `%s'", arg);
315 break;
316
317 default:
318 return ARGP_ERR_UNKNOWN;
319 }
320
321 return 0;
322 }
323
324 static struct argp_option options[] = {
325
326 {"verbose", 'v', 0, 0,
327 "Produce verbose output."},
328
329 {"quiet", 'q', 0, 0,
330 "Don't produce any output."},
331
332 {"silent", 's', 0, OPTION_ALIAS},
333
334 {"configuration-file", 'c', "FILE", 0,
335 "Read configuration from file. Default is " SYSTEMCFGFILE "."},
336
337 {"listen", 'l', "[FAMILY:]ADDRESS:SERVICE/TYPE,...", 0,
338 "What to listen on. Family is \"IPv4\" or \"IPv6\", if absent the "
339 "family is decided by gethostbyname(ADDRESS). An address of \"*\" "
340 "indicates all addresses on the local host. "
341 "The default is \"" LISTEN_DEFAULT "\"."},
342
343 {"setuid", 'u', "NAME", 0,
344 "After binding socket, set user identity."},
345
346 {0}
347 };
348
349 static struct argp argp = {
350 options,
351 parse_opt,
352 NULL,
353 "Shishid -- Key Distribution Center network daemon"
354 };
355
356 static int
357 asreq1 (Shishi * handle, Shishi_as * as)
358 {
359 Shishi_tkt *tkt;
360 Shishi_key *sessionkey, *sessiontktkey, *userkey;
361 int etype, i;
362 char buf[BUFSIZ];
363 int buflen;
364 int err;
365 char *username, *servername, *serverrealm;
366 char *password;
367
368 tkt = shishi_as_tkt (as);
369 if (!tkt)
370 return SHISHI_MALLOC_ERROR;
371
372 i = 1;
373 do
374 {
375 err = shishi_kdcreq_etype (handle, shishi_as_req (as), &etype, i);
376 if (err == SHISHI_OK && shishi_cipher_supported_p (etype))
377 break;
378 }
379 while (err == SHISHI_OK);
380 if (err != SHISHI_OK)
381 return err;
382
383 /* XXX use a "preferred server kdc etype" from shishi instead? */
384 err = shishi_key_random (handle, etype, &sessionkey);
385 if (err)
386 return err;
387 err = shishi_key_random (handle, etype, &sessiontktkey);
388 if (err)
389 return err;
390
391 err = shishi_tkt_key_set (tkt, sessionkey);
392 if (err)
393 return err;
394
395 buflen = sizeof (buf) - 1;
396 err = shishi_kdcreq_cname_get (handle, shishi_as_req (as), buf, &buflen);
397 if (err != SHISHI_OK)
398 return err;
399 buf[buflen] = '\0';
400 username = strdup (buf);
401 printf ("username %s\n", username);
402
403 buflen = sizeof (buf) - 1;
404 err = shishi_kdcreq_sname_get (handle, shishi_as_req (as), buf, &buflen);
405 if (err != SHISHI_OK)
406 return err;
407 buf[buflen] = '\0';
408 servername = strdup (buf);
409 printf ("servername %s\n", servername);
410
411 buflen = sizeof (buf) - 1;
412 err = shishi_kdcreq_realm_get (handle, shishi_as_req (as), buf, &buflen);
413 if (err != SHISHI_OK)
414 return err;
415 buf[buflen] = '\0';
416 serverrealm = strdup (buf);
417 printf ("serverrealm %s\n", serverrealm);
418
419 password = "foo";
420
421 err = shishi_tkt_clientrealm_set (tkt, serverrealm, username);
422 if (err)
423 return err;
424
425 err = shishi_tkt_serverrealm_set (tkt, serverrealm, servername);
426 if (err)
427 return err;
428
429 buflen = sizeof (buf);
430 err = shishi_as_derive_salt (handle, shishi_as_req (as), shishi_as_rep (as),
431 buf, &buflen);
432 if (err != SHISHI_OK)
433 return err;
434
435 err = shishi_key_from_string (handle,
436 etype,
437 password,
438 strlen (password),
439 buf, buflen, NULL, &userkey);
440 if (err != SHISHI_OK)
441 return err;
442
443 err = shishi_tkt_build (tkt, sessiontktkey);
444 if (err)
445 return err;
446
447 err = shishi_as_rep_build (as, userkey);
448 if (err)
449 return err;
450
451 if (arg.verbose)
452 {
453 shishi_kdcreq_print (handle, stderr, shishi_as_req (as));
454 shishi_encticketpart_print (handle, stderr,
455 shishi_tkt_encticketpart (tkt));
456 shishi_ticket_print (handle, stderr, shishi_tkt_ticket (tkt));
457 shishi_enckdcreppart_print (handle, stderr,
458 shishi_tkt_enckdcreppart (tkt));
459 shishi_kdcrep_print (handle, stderr, shishi_as_rep (as));
460 }
461
462 return SHISHI_OK;
463 }
464
465 static void
466 asreq (Shishi * handle, Shishi_asn1 kdcreq, char **out, int *outlen)
467 {
468 Shishi_as *as;
469 int rc;
470
471 rc = shishi_as (handle, &as);
472 if (rc != SHISHI_OK)
473 {
474 syslog (LOG_ERR, "Incoming request failed: Cannot create AS: %s\n",
475 shishi_strerror (rc));
476 /* XXX hard coded KRB-ERROR? */
477 *out = strdup ("foo");
478 *outlen = strlen (*out);
479 return;
480 }
481
482 shishi_as_req_set (as, kdcreq);
483
484 *out = malloc (BUFSIZ);
485 if (*out == NULL)
486 {
487 syslog (LOG_ERR, "Incoming request failed: Cannot allocate memory\n");
488 /* XXX hard coded KRB-ERROR? */
489 *out = NULL;
490 *outlen = 0;
491 return;
492 }
493 *outlen = BUFSIZ;
494
495 rc = asreq1 (handle, as);
496 if (rc != SHISHI_OK)
497 {
498 syslog (LOG_NOTICE, "Could not answer request: %s: %s\n",
499 shishi_strerror (rc),
500 shishi_krberror_message (handle, shishi_as_krberror (as)));
501 rc = shishi_as_krberror_der (as, *out, outlen);
502 }
503 else
504 rc = shishi_as_rep_der (as, *out, outlen);
505 if (rc != SHISHI_OK)
506 {
507 syslog (LOG_ERR,
508 "Incoming request failed: Cannot DER encode reply: %s\n",
509 shishi_strerror (rc));
510 /* XXX hard coded KRB-ERROR? */
511 *out = strdup ("aaaaaa");
512 *outlen = strlen (*out);
513 return;
514 }
515
516 return;
517 }
518
519 static void
520 process (Shishi * handle, char *in, int inlen, char **out, int *outlen)
521 {
522 Shishi_asn1 kdcreq;
523
524 fprintf (stderr, "Processing %d bytes...\n", inlen);
525
526 kdcreq = shishi_der2asn1_asreq (handle, in, inlen);
527 if (!kdcreq)
528 {
529 asreq (handle, kdcreq, out, outlen);
530 return;
531 }
532
533 kdcreq = shishi_der2asn1_tgsreq (handle, in, inlen);
534 if (!kdcreq)
535 {
536 fprintf (stderr, "tgs-req...\n");
537 }
538
539 /* XXX hard coded KRB-ERROR? */
540 *out = NULL;
541 *outlen = 0;
542 }
543
544 int quit = 0;
545
546 void ctrlc (int signum);
547
548 void
549 ctrlc (int signum)
550 {
551 quit = 1;
552 }
553
554 static int
555 doit (Shishi * handle, struct arguments arg)
556 {
557 struct listenspec *ls;
558 fd_set readfds;
559 struct sockaddr addr;
560 socklen_t length = sizeof (addr);
561 int maxfd = 0;
562 int rc;
563 int i;
564 int sent_bytes, read_bytes;
565 int yes;
566
567 for (i = 0; i < arg.nlistenspec; i++)
568 {
569 ls = &arg.listenspec[i];
570
571 ls->sockfd = socket (ls->family, ls->type, 0);
572 if (ls->sockfd < 0)
573 {
574 if (!arg.silent)
575 printf ("failed\n");
576 perror ("socket");
577 ls->sockfd = 0;
578 continue;
579 }
580
581 yes = 1;
582 if (setsockopt (ls->sockfd, SOL_SOCKET, SO_REUSEADDR,
583 (char *) &yes, sizeof (yes)) < 0)
584 {
585 if (!arg.silent)
586 printf ("failed\n");
587 perror ("setsockopt");
588 close (ls->sockfd);
589 ls->sockfd = 0;
590 continue;
591 }
592
593 if (bind (ls->sockfd, &ls->addr, sizeof (ls->addr)) != 0)
594 {
595 if (!arg.silent)
596 printf ("failed\n");
597 perror ("bind");
598 close (ls->sockfd);
599 ls->sockfd = 0;
600 continue;
601 }
602
603 if (ls->type == SOCK_STREAM && listen (ls->sockfd, 512) != 0)
604 {
605 if (!arg.silent)
606 printf ("failed\n");
607 perror ("listen");
608 close (ls->sockfd);
609 ls->sockfd = 0;
610 continue;
611 }
612
613 if (!arg.silent)
614 printf ("Listening on %s...", ls->str);
615
616 maxfd++;
617 if (!arg.silent)
618 printf ("done\n");
619 }
620
621 if (maxfd == 0)
622 {
623 fprintf (stderr, "Failed to bind any ports.\n");
624 return 1;
625 }
626
627 if (!arg.silent)
628 printf ("Listening on %d ports...\n", maxfd);
629
630 if (arg.setuid)
631 {
632 struct passwd *passwd;
633
634 passwd = getpwnam (arg.setuid);
635 if (passwd == NULL)
636 {
637 perror ("setuid: getpwnam");
638 return 1;
639 }
640
641 rc = setuid (passwd->pw_uid);
642 if (rc == -1)
643 {
644 perror ("setuid");
645 return 1;
646 }
647
648 if (!arg.silent)
649 printf ("User identity set to `%s' (%d)...\n",
650 passwd->pw_name, passwd->pw_uid);
651 }
652
653 signal (SIGINT, ctrlc);
654 signal (SIGTERM, ctrlc);
655
656 while (!quit)
657 {
658 sleep (1);
659 do
660 {
661 FD_ZERO (&readfds);
662 maxfd = 0;
663 for (i = 0; i < arg.nlistenspec; i++)
664 {
665 if (arg.listenspec[i].sockfd >= maxfd)
666 maxfd = arg.listenspec[i].sockfd + 1;
667 FD_SET (arg.listenspec[i].sockfd, &readfds);
668 }
669 }
670 while ((rc = select (maxfd, &readfds, NULL, NULL, NULL)) == 0);
671
672 if (rc < 0)
673 {
674 if (errno != EINTR)
675 perror ("select");
676 continue;
677 }
678
679 for (i = 0; i < arg.nlistenspec; i++)
680 if (FD_ISSET (arg.listenspec[i].sockfd, &readfds))
681 {
682 if (arg.listenspec[i].type == SOCK_STREAM &&
683 arg.listenspec[i].family != -1)
684 {
685 fprintf (stderr, "New connection on %s...",
686 arg.listenspec[i].str);
687
688 /* XXX search for closed fd's before allocating new entry */
689 arg.listenspec = realloc (arg.listenspec,
690 sizeof (*arg.listenspec) *
691 (arg.nlistenspec + 1));
692 if (arg.listenspec != NULL)
693 {
694 struct sockaddr_in *sin;
695 char *str;
696
697 arg.nlistenspec++;
698 ls = &arg.listenspec[arg.nlistenspec - 1];
699 ls->bufpos = 0;
700 ls->type = arg.listenspec[i].type;
701 ls->family = -1;
702 length = sizeof (ls->addr);
703 ls->sockfd = accept (arg.listenspec[i].sockfd,
704 &ls->addr, &length);
705 sin = (struct sockaddr_in *) &ls->addr;
706 str = inet_ntoa (sin->sin_addr);
707 ls->str = malloc (strlen (arg.listenspec[i].str) +
708 strlen (" peer ") + strlen (str) + 1);
709 sprintf (ls->str, "%s peer %s", arg.listenspec[i].str,
710 str);
711 puts (ls->str);
712 }
713 }
714 else
715 {
716 ls = &arg.listenspec[i];
717
718 read_bytes = recvfrom (ls->sockfd, ls->buf + ls->bufpos,
719 BUFSIZ - ls->bufpos, 0, &addr,
720 &length);
721
722 if (arg.listenspec[i].type == SOCK_STREAM &&
723 arg.listenspec[i].family == -1 && read_bytes == 0)
724 {
725 printf ("Peer %s disconnected\n", ls->str);
726 close (ls->sockfd);
727 ls->sockfd = 0;
728 }
729 else
730 {
731 ls->bufpos += read_bytes;
732 ls->buf[ls->bufpos] = '\0';
733 }
734
735 printf ("Has %d bytes from %s\n", ls->bufpos, ls->str);
736
737 if (arg.listenspec[i].type == SOCK_DGRAM ||
738 (ls->bufpos > 4
739 && ntohl (*(int *) ls->buf) == ls->bufpos))
740 {
741 char *p;
742 int plen;
743
744 process (handle, ls->buf, ls->bufpos, &p, &plen);
745
746 if (p && plen > 0)
747 {
748 do
749 sent_bytes = sendto (ls->sockfd, p, plen,
750 0, &addr, length);
751 while (sent_bytes == -1 && errno == EAGAIN);
752
753 if (sent_bytes == -1)
754 perror ("write");
755 else if (sent_bytes > plen)
756 fprintf (stderr, "wrote %db but buffer only %db",
757 sent_bytes, plen);
758 else if (sent_bytes < plen)
759 fprintf (stderr,
760 "short write (%db) writing %d bytes\n",
761 sent_bytes, plen);
762
763 free (p);
764 }
765
766 ls->bufpos = 0;
767 }
768 }
769 }
770 }
771
772 for (i = 0; i < arg.nlistenspec; i++)
773 if (arg.listenspec[i].sockfd)
774 {
775 if (!arg.silent)
776 printf ("Closing %s...", arg.listenspec[i].str);
777 rc = close (arg.listenspec[i].sockfd);
778 if (rc != 0)
779 {
780 if (!arg.silent)
781 printf ("failed\n");
782 perror ("close");
783 }
784 else if (!arg.silent)
785 printf ("done\n");
786 }
787
788 return 0;
789 }
790
791 int
792 main (int argc, char *argv[])
793 {
794 Shishi *handle;
795 int rc;
796
797 openlog (PACKAGE, LOG_PERROR, LOG_AUTHPRIV);
798 memset ((void *) &arg, 0, sizeof (arg));
799 argp_parse (&argp, argc, argv, ARGP_IN_ORDER, 0, &arg);
800
801 rc = shishi_init_server_with_paths (&handle, arg.cfgfile);
802 if (rc != SHISHI_OK)
803 {
804 syslog (LOG_ERR, "Aborting due to library initialization failure\n");
805 return 1;
806 }
807
808 rc = doit (handle, arg);
809
810 shishi_done (handle);
811 closelog ();
812
813 return rc;
814 }
Free Kerberos V5 implementation