/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
*
* Copyright 1990,2000,2001,2002,2003,2004,2006,2008 Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*/
/*
*/
/*
* get socket addresses for KDC.
*/
/*
* Solaris Kerberos
* Re-factored the following routines to get a clear separation of locating
* KDC entries (krb5.conf/DNS-SRVrecs) versus mapping them to net addresses
* to allow us to output better error msgs:
* krb5int_locate_server
* prof_locate_server
* dns_locate_server
* krb5_locate_srv_conf_1 (removed)
* krb5_locate_srv_dns_1 (removed)
* prof_hostnames2netaddrs (new)
* hostlist2str (new)
* dns_hostnames2netaddrs (new)
* dnslist2str (new)
* Also, for the profile get_master==1 case, the algorithm has been
* simplified to just do a profile_get_values on KRB5_CONF_ADMIN_SERVER and
* not try to match those against "kdc" entries (does not seem necessary
* and the DNS-SRVrecs code does not do that).
*/
#include "fake-addrinfo.h"
#include "k5-int.h"
#include "os-proto.h"
#include <stdio.h>
#ifdef KRB5_DNS_LOOKUP
#ifdef WSHELPER
#include <wshelper.h>
#else /* WSHELPER */
#include <resolv.h>
#include <netdb.h>
#endif /* WSHELPER */
#ifndef T_SRV
#endif /* T_SRV */
#include <syslog.h>
#include <locale.h>
/* for old Unixes and friends ... */
#ifndef MAXHOSTNAMELEN
#endif
/* Solaris Kerberos: default to dns lookup for the KDC but not the realm */
#define DEFAULT_LOOKUP_REALM 0
static int
{
int use_dns = 0;
KRB5_CONF_DNS_FALLBACK, 0, 0, &value);
if (code)
return defalt;
if (value == 0)
return defalt;
return use_dns;
}
int
{
}
int
{
}
#endif /* KRB5_DNS_LOOKUP */
int
{
size_t i;
void *newaddrs;
return ENOMEM;
}
return 0;
}
/* Free up everything pointed to by the addrlist structure, but don't
free the structure itself. */
void
{
size_t i;
/* Solaris Kerberos: */
}
}
static int
{
switch (err) {
case 0:
return 0;
case EAI_BADFLAGS:
case EAI_FAMILY:
case EAI_SOCKTYPE:
case EAI_SERVICE:
/* All of these indicate bad inputs to getaddrinfo. */
return EINVAL;
case EAI_AGAIN:
/* Translate to standard errno code. */
return EAGAIN;
case EAI_MEMORY:
/* Translate to standard errno code. */
return ENOMEM;
#ifdef EAI_ADDRFAMILY
case EAI_ADDRFAMILY:
#endif
case EAI_NODATA:
#endif
case EAI_NONAME:
/* Name not known or no address data, but no error. Do
nothing more. */
return 0;
#ifdef EAI_OVERFLOW
case EAI_OVERFLOW:
/* An argument buffer overflowed. */
return EINVAL; /* XXX */
#endif
#ifdef EAI_SYSTEM
case EAI_SYSTEM:
/* System error, obviously. */
return errno;
#endif
default:
/* An error code we haven't handled? */
return EINVAL;
}
}
/* Solaris Kerberos: want dbg messages to syslog */
#include <stdarg.h>
static inline void
{
#ifdef TEST
#endif
}
#if 0
extern void krb5int_debug_fprint(const char *, ...);
#define dprint krb5int_debug_fprint
#define print_addrlist krb5int_print_addrlist
extern void print_addrlist (const struct addrlist *a);
#else
#endif
/*
* Solaris Kerberos: modified this function to take an optional hostname. This
* is a hack until we can sync MIT 1.10 which deals with retrieved hostnames in
* a better way.
*/
static int
{
int err;
if (err) {
return err;
}
}
/* Solaris Kerberos: */
if (hostname) {
return (ENOMEM);
}
} else {
}
Tprintf("\n");
return 0;
}
static void
{
/* Strict interpretation of the C standard says we can't assume
that the ABI for f(void*) and f(struct foo *) will be
compatible. Use this stub just to be paranoid. */
}
int
{
void (*freefn)(void *);
Tprintf ("adding hostname %s, ports %d,%d, family %d, socktype %d\n",
#ifdef AI_NUMERICSERV
#endif
/* XXX */
return EINVAL;
return EINVAL;
if (err) {
Tprintf ("\tgetaddrinfo(\"%s\", \"%s\", ...)\n\treturns %d: %s\n",
return translate_ai_error (err);
}
anext = 0;
}
goto egress;
if (socktype == 0)
else if (socktype != SOCK_DGRAM)
goto egress;
if (err) {
goto egress;
}
}
/* Solaris Kerberos */
if (anext)
return err;
}
#include <locate_plugin.h>
#if TARGET_OS_MAC
static const char *objdirs[] = { KRB5_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/libkrb5", NULL }; /* should be a list */
#else
#endif
struct module_callback_data {
int out_of_mem;
};
static int
{
struct module_callback_data *d = cbdata;
struct {
union {
#ifdef KRB5_USE_INET6
#endif
} u;
} *x;
return 0;
#ifdef KRB5_USE_INET6
#endif
)
return 0;
x = calloc (1, sizeof (*x));
if (x == 0) {
d->out_of_mem = 1;
return 1;
}
memset(x, 0, sizeof (*x));
}
#ifdef KRB5_USE_INET6
}
#endif
/* Assumes only error is ENOMEM. */
d->out_of_mem = 1;
return 1;
}
return 0;
}
static krb5_error_code
{
void **ptrs;
int i;
const char *msg;
Tprintf("in module_locate_server\n");
if (code)
return KRB5_PLUGIN_NO_HANDLE;
}
if (code) {
Tprintf("error looking up plugin symbols: %s\n",
return KRB5_PLUGIN_NO_HANDLE;
}
return ENOMEM;
}
return ENOMEM;
}
for (i = 0; ptrs[i]; i++) {
void *blob;
/* For now, don't keep the plugin data alive. For long-lived
contexts, it may be desirable to change that later. */
if (code)
continue;
if (code == KRB5_PLUGIN_NO_HANDLE) {
/* Module passes, keep going. */
/* XXX */
Tprintf("plugin doesn't handle this realm (KRB5_PLUGIN_NO_HANDLE)\n");
continue;
}
if (code != 0) {
/* Module encountered an actual error. */
Tprintf("plugin lookup routine returned error %d: %s\n",
return code;
}
break;
}
Tprintf("ran off end of plugin list\n");
return KRB5_PLUGIN_NO_HANDLE;
}
/* Got something back, yippee. */
Tprintf("now have %lu addrs in list %p\n",
return 0;
}
static krb5_error_code
char ***hostlist,
enum locate_service_type svc)
{
int i, j, count;
switch (svc) {
case locate_service_kdc:
break;
break;
case locate_service_kadmin:
break;
case locate_service_krb524:
break;
case locate_service_kpasswd:
break;
default:
return EINVAL;
}
return ENOMEM;
hl = 0;
realm_srv_names[3] = 0;
if (code) {
Tprintf ("config file lookup failed: %s\n",
return code;
}
return 0;
}
static krb5_error_code
struct srv_dns_entry **dns_list_head,
{
const char *dnsname;
if (!use_dns)
return KRB5_PLUGIN_NO_HANDLE;
switch (svc) {
case locate_service_kdc:
dnsname = "_kerberos";
break;
dnsname = "_kerberos-master";
break;
case locate_service_kadmin:
dnsname = "_kerberos-adm";
break;
case locate_service_krb524:
dnsname = "_krb524";
break;
case locate_service_kpasswd:
dnsname = "_kpasswd";
break;
default:
return KRB5_PLUGIN_NO_HANDLE;
}
code = 0;
if (code)
}
if (code)
}
return 0;
/* Check for the "." case indicating no support. */
return KRB5_ERR_NO_SERVICE;
}
/*
* Okay! Now we've got a linked list of entries sorted by
* priority. Return it so later we can map hostnames to net addresses.
*/
*dns_list_head = head;
return 0;
}
/*
* Given the list of hostnames of KDCs found in DNS SRV recs, lets go
* thru NSS (name svc switch) to get the net addrs.
*/
static krb5_error_code
struct srv_dns_entry *head,
enum locate_service_type svc,
int socktype,
int family,
{
Tprintf ("walking answer list:\n");
code = 0;
if (socktype)
else {
SOCK_DGRAM, family);
}
if (code) {
}
}
Tprintf ("[end]\n");
return code;
}
/*
* Given the DNS SRV recs list, return a string of all the hosts like so:
* "fqdn0[,fqdn1][,fqdnN]"
*/
static char *
{
char *s = NULL;
}
if (!c)
return NULL;
/* hostnames + commas + NULL */
if (!s)
return NULL;
}
return s;
}
/*
* Given the profile hostlist, return a string of all the hosts like so:
* "fqdn0[,fqdn1][,fqdnN]"
*/
static char *
{
hl++;
c++;
}
if (!c)
return NULL;
/* hostnames + commas + NULL */
if (!s)
return NULL;
hl++;
hl++;
}
return s;
}
/*
* Take the profile KDC list and return a list of net addrs.
*/
static krb5_error_code
char **hostlist,
enum locate_service_type svc,
int socktype,
int family,
{
int code, i;
int count = 0;
count++;
if (count == 0) {
return 0;
}
switch (svc) {
case locate_service_kdc:
have old, crufty, wrong settings that this is probably
better. */
break;
case locate_service_kadmin:
break;
case locate_service_krb524:
break;
case locate_service_kpasswd:
break;
default:
return EINVAL;
}
for (i=0; hostlist[i]; i++) {
/* Find port number, and strip off any excess characters. */
else
*cp = '\0';
if (port) {
unsigned long l;
#ifdef HAVE_STROUL
char *endptr;
return EINVAL;
#else
#endif
/* L is unsigned, don't need to check <0. */
if (l == 0 || l > 65535)
return EINVAL;
p2 = 0;
} else {
p2 = sec_udpport;
}
if (socktype != 0) {
} else {
SOCK_DGRAM, family);
if (code == 0)
}
}
return code;
}
/*
* Wrapper function for the various backends
*/
enum locate_service_type svc,
{
"Cannot find KDC for invalid realm name \"\"");
return KRB5_REALM_CANT_RESOLVE;
}
if (code == KRB5_PLUGIN_NO_HANDLE) {
/*
* We always try the local file before DNS. Note that there
* is no way to indicate "service not available" via the
* config file.
*/
#ifdef KRB5_DNS_LOOKUP
/*
* Solaris Kerberos:
* There is no point in trying to locate the KDC in DNS if "realm"
* is empty.
*/
/* Try DNS for all profile errors? */
if (code2 != KRB5_PLUGIN_NO_HANDLE)
}
#endif /* KRB5_DNS_LOOKUP */
/* We could put more heuristics here, like looking up a hostname
of "kerberos."+REALM, etc. */
}
if (code != 0) {
if (hostlist)
if (dns_list_head)
return code;
}
/*
* At this point we have no errors, let's check to see if we have
* any KDC entries from krb5.conf or DNS.
*/
if (!hostlist && !dns_list_head) {
switch(svc) {
"Cannot find a master KDC entry in krb5.conf(4) or DNS Service Location records for realm '%.*s'"),
break;
case locate_service_kadmin:
"Cannot find a kadmin KDC entry in krb5.conf(4) or DNS Service Location records for realm '%.*s'"),
break;
case locate_service_kpasswd:
"Cannot find a kpasswd KDC entry in krb5.conf(4) or DNS Service Location records for realm '%.*s'"),
break;
default: /* locate_service_kdc: */
"Cannot find any KDC entries in krb5.conf(4) or DNS Service Location records for realm '%.*s'"),
}
return KRB5_REALM_CANT_RESOLVE;
}
/* We have KDC entries, let see if we can get their net addrs. */
if (hostlist)
else if (dns_list_head)
if (code) {
if (hostlist)
if (dns_list_head)
return code;
}
/*
* Solaris Kerberos:
* If an entry for _kerberos-master. does not exist (checked for
* above) but _kpasswd. does then treat that as an entry for the
* master KDC (but use port 88 not the kpasswd port). MS AD creates
* kpasswd entries by default in DNS.
*/
/* Look for _kpasswd._tcp|udp */
if (code == 0 && dns_list_head) {
int i;
struct addrinfo *a;
/* Set the port to 88 instead of the kpasswd port */
}
}
}
}
/* No errors so far, lets see if we have KDC net addrs */
if (hostlist) {
"Cannot resolve network address for KDCs '%s' specified in krb5.conf(4) for realm %.*s"),
if (hostlist_str)
} else if (dns_list_head) {
"Cannot resolve network address for KDCs '%s' discovered via DNS Service Location records for realm '%.*s'"),
if (dnslist_str)
}
if (hostlist)
if (dns_list_head)
return KRB5_REALM_CANT_RESOLVE;
}
if (hostlist)
if (dns_list_head)
return 0;
}
{
}
/*
* Solaris Kerberos: for a given realm return a list of kadmin servers in
* addrlist
*/
{
/* don't really care about the socket type so just using SOCK_STREAM */
AF_UNSPEC));
}
/*
* Solaris Kerberos: for backward compat. Avoid using this
* function!
*/
char *srvhost,
unsigned short *port)
{
#ifdef KRB5_DNS_LOOKUP
{
if (use_dns) {
if (code)
return (code);
return KRB5_REALM_CANT_RESOLVE;
#ifdef DEBUG
#endif
}
}
#endif /* KRB5_DNS_LOOKUP */
return (code);
}