/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
*
* This file of the Kerberos V5 software is derived from public-domain code
* contributed by Daniel J. Bernstein, <brnstnd@acf10.nyu.edu>.
*
*/
/*
*/
/*
* An implementation for the default replay cache type.
*/
#include "rc_base.h"
#include "rc_dfl.h"
#include "rc_io.h"
#include "k5-int.h"
#include "rc-int.h"
/* Solaris Kerberos */
#include <kstat.h>
#include <atomic.h>
#include <assert.h>
#include <syslog.h>
/*
* If NOIOSTUFF is defined at compile time, dfl rcaches will be per-process.
*/
/*
Local stuff:
static int hash(krb5_donot_replay *rep, int hsize)
returns hash value of *rep, between 0 and hsize - 1
HASHSIZE
size of hash table (constant), can be preset
static int cmp(krb5_donot_replay *old, krb5_donot_replay *new, krb5_deltat t)
compare old and new; return CMP_REPLAY or CMP_HOHUM
static int alive(krb5_context, krb5_donot_replay *new, krb5_deltat t)
see if new is still alive; return CMP_EXPIRED or CMP_HOHUM
CMP_MALLOC, CMP_EXPIRED, CMP_REPLAY, CMP_HOHUM
return codes from cmp(), alive(), and store()
struct dfl_data
data stored in this cache type, namely "dfl"
struct authlist
multilinked list of reps
static int rc_store(context, krb5_rcache id, krb5_donot_replay *rep)
store rep in cache id; return CMP_REPLAY if replay, else CMP_MALLOC/CMP_HOHUM
*/
/*
* Solaris Kerberos
* The following code is shared between the file and memory replay cache
* implementations and lives in rc_common.[ch].
*/
#include "rc_common.h"
#if 0
#ifndef HASHSIZE
#endif
#ifndef EXCESSREPS
#define EXCESSREPS 30
#endif
/*
* The rcache will be automatically expunged when the number of
* expired krb5_donot_replays encountered incidentally in searching
* exceeds the number of live krb5_donot_replays by EXCESSREPS. With
* the defaults here, a typical cache might build up some 10K of
* expired krb5_donot_replays before an automatic expunge, with the
* waste basically independent of the number of stores per minute.
*
* The rcache will also automatically be expunged when it encounters
* more than EXCESSREPS expired entries when recovering a cache in
* dfl_recover.
*/
static unsigned int
{
return h % hsize;
}
#define CMP_MALLOC -3
#define CMP_EXPIRED -2
#define CMP_REPLAY -1
#define CMP_HOHUM 0
/*ARGSUSED*/
static int
{
/* If both records include message hashes, compare them as well. */
return CMP_REPLAY;
}
return CMP_HOHUM;
}
static int
{
if (mytime == 0)
return CMP_HOHUM; /* who cares? */
/* I hope we don't have to worry about overflow */
return CMP_EXPIRED;
return CMP_HOHUM;
}
#endif
struct dfl_data
{
char *name;
unsigned int hsize;
int numhits;
int nummisses;
struct authlist **h;
struct authlist *a;
#ifndef NOIOSTUFF
#endif
char recovering;
};
/* Solaris Kerberos - Moved to rc_common.h */
#if 0
struct authlist
{
};
#endif
/* of course, list is backwards from file */
/* hash could be forwards since we have to search on match, but naaaah */
static int
{
unsigned int rephash;
/*
* Solaris Kerberos:
* calling alive() on rep since it doesn't make sense to store an
* expired replay.
*/
return CMP_EXPIRED;
}
{
case CMP_REPLAY:
if (fromfile) {
/*
* This is an expected collision between a hash
* extension record and a normal-format record. Make
* sure the message hash is included in the stored
* record and carry on.
*/
return CMP_MALLOC;
}
return CMP_HOHUM;
} else
return CMP_REPLAY;
case CMP_HOHUM:
t->nummisses++;
else
t->numhits++;
break;
default:
; /* wtf? */
}
}
return CMP_MALLOC;
goto error;
goto error;
goto error;
return CMP_HOHUM;
return CMP_MALLOC;
}
char * KRB5_CALLCONV
{
}
{
struct dfl_data *t;
if (err)
return err;
return 0;
}
static krb5_error_code KRB5_CALLCONV
{
/* default to clockskew from the context */
#ifndef NOIOSTUFF
return retval;
}
if ((krb5_rc_io_write(context, &t->d,
|| krb5_rc_io_sync(context, &t->d))) {
return KRB5_RC_IO;
}
#endif
return 0;
}
{
if (retval)
return retval;
return retval;
}
/* Called with the mutex already locked. */
{
struct authlist *q;
free(t->h);
if (t->name)
while ((q = t->a))
{
t->a = q->na;
free(q);
}
#ifndef NOIOSTUFF
(void) krb5_rc_io_close(context, &t->d);
#endif
free(t);
/* Solaris Kerberos */
return 0;
}
{
if (retval)
return retval;
return 0;
}
{
#ifndef NOIOSTUFF
return KRB5_RC_IO;
#endif
}
{
struct dfl_data *t = 0;
/* allocate id? no */
return KRB5_RC_MALLOC;
if (name) {
if (!t->name) {
goto cleanup;
}
} else
t->name = 0;
if (!t->h) {
goto cleanup;
}
t->a = (struct authlist *) 0;
#ifndef NOIOSTUFF
t->d.fd = -1;
#endif
t->recovering = 0;
return 0;
if (t) {
if (t->name)
if (t->h)
free(t->h);
free(t);
/* Solaris Kerberos */
}
return retval;
}
void
{
if (rp)
{
}
}
/*
* Parse a string in the format <len>:<data>, with the length
* represented in ASCII decimal. On parse failure, return 0 but set
* *result to NULL.
*/
static krb5_error_code
{
unsigned long len;
/* Parse the length, expecting a ':' afterwards. */
errno = 0;
return 0;
/* Allocate space for *result and copy the data. */
if (!*result)
return KRB5_RC_MALLOC;
return 0;
}
/*
* Hash extension records have the format:
* client = <empty string>
* server = HASH:<msghash> <clientlen>:<client> <serverlen>:<server>
* Spaces in the client and server string are represented with
* with backslashes. Client and server lengths are represented in
* ASCII decimal (which is different from the 32-bit binary we use
* elsewhere in the replay cache).
*
* On parse failure, we leave the record unmodified.
*/
static krb5_error_code
{
/* Check if this appears to match the hash extension format. */
return 0;
return 0;
/* Parse out the message hash. */
if (!end)
return 0;
if (!msghash)
return KRB5_RC_MALLOC;
/* Parse out the client and server. */
goto error;
if (*str != ' ')
goto error;
str++;
goto error;
if (*str)
goto error;
return 0;
if (msghash)
if (client)
if (server)
return retval;
}
static krb5_error_code
{
int len2;
unsigned int len;
sizeof(len2));
if (retval)
return retval;
return KRB5_RC_IO_EOF;
return KRB5_RC_MALLOC;
if (retval)
goto errout;
sizeof(len2));
if (retval)
goto errout;
goto errout;
}
goto errout;
}
if (retval)
goto errout;
if (retval)
goto errout;
if (retval)
goto errout;
if (retval)
goto errout;
return 0;
return retval;
}
static krb5_error_code
static krb5_error_code
{
#ifdef NOIOSTUFF
return KRB5_RC_NOIO;
#else
krb5_donot_replay *rep = 0;
long max_size;
int expired_entries = 0;
return retval;
}
t->recovering = 1;
sizeof(t->lifespan))) {
retval = KRB5_RC_IO;
goto io_fail;
}
goto io_fail;
}
now = 0;
/* now read in each auth_replay and insert into table */
for (;;) {
if (krb5_rc_io_mark(context, &t->d)) {
retval = KRB5_RC_IO;
goto io_fail;
}
if (retval == KRB5_RC_IO_EOF)
break;
else if (retval != 0)
goto io_fail;
}
} else {
}
/*
* free fields allocated by rc_io_fetch
*/
}
retval = 0;
krb5_rc_io_unmark(context, &t->d);
/*
* An automatic expunge here could remove the need for
*/
if (retval)
krb5_rc_io_close(context, &t->d);
else if (expired_entries > EXCESSREPS)
t->recovering = 0;
return retval;
#endif
}
{
if (ret)
return ret;
return ret;
}
{
if (retval)
return retval;
if (retval)
return retval;
}
static krb5_error_code
{
unsigned int len;
/*
* Write a hash extension record, to be followed by a record
* in regular format (without the message hash) for the
* benefit of old implementations.
*/
/* Format the extension value so we know its length. */
if (!extstr)
return KRB5_RC_MALLOC;
/*
* Put the extension value into the server field of a
* regular-format record, with an empty client field.
*/
len = 1;
} else /* No extension record needed. */
return KRB5_RC_MALLOC;
return ret;
}
/*
* Solaris Kerberos
*
* Get time of boot. This is needed for fsync()-less operation. See below.
*
* Cstyle note: MIT style used here.
*/
static
{
kstat_t *k;
/*
* We use the boot_time kstat from the "unix" module.
*
* It's hard to determine the interface stability of kstats. To be safe
* we treat boot_time with extra care: if it disappears or is renamed,
* or if its type changes, or if its value appears to be in the future,
* then we fail to get boot time and the rcache falls back on slow
* behavior (fsync()ing at every write). If this kstat should produce a
* time less than the actual boot time then this increases the chance of
* post-crash replays of Authenticators whose rcache entries were not
* fsync()ed and were lost.
*
* We consider it extremely unlikely that this kstat will ever change at
* all however, much less to change in such a way that it will return
* the wrong boot time as an unsigned 32-bit integer. If we fail to
* find the kstat we expect we log loudly even though the rcache remains
* functional.
*/
/* check that the kstat's type hasn't changed */
/* boot_time value sanity check */
/* krb5_timestamp is int32_t, this kstat is uint32_t; 2038 problem! */
/* Return boot time to 1 to indicate failure to get actual boot time */
bt = 1;
"kstat removed or changed?); rcache will be functional, but slow");
} else {
}
(void) kstat_close(kc);
return (bt);
}
/*
* Solaris Kerberos
*
* We optimize the rcache by foregoing fsync() in the most common cases.
* Foregoing fsync() requires an early boot procedure to ensure that we
* never accept an authenticator that could be a replay of one whose
* rcache entry we've lost.
*
* We do this by picking an arbitrary, small time delta such that
* storing any krb5_donot_replays whose ctime is further into the future
* than now + that small delta causes an fsync() of the rcache. Early
* after booting we must reject all krb5_donot_replays whose ctime falls
* before time of boot + that delta.
*
* This works well as long as client clocks are reasonably synchronized
* or as long as they use kdc_timesync. Clients with clocks faster than
* this delta will find their AP exchanges are slower than clients with
* good or slow clocks. Clients with very slow clocks will find that
* their AP-REQs are rejected by servers that have just booted. In all
* other cases clients will notice only that AP exchanges are much
* faster as a result of the missing fsync()s.
*
* KRB5_RC_FSYNCLESS_FAST_SKEW is that time delta, in seconds. Five
* seconds seems like a reasonable delta. If it takes more than five
* seconds from the time the kernel initializes itself to the time when
* a kerberized system starts, and clients have good clocks or use
* kdc_timesync, then no authenticators will be rejected.
*/
{
struct dfl_data *t;
if (ret)
return ret;
/*
* Solaris Kerberos
*
* if boot_time <= 1 -> we always fsync() (see below)
* if boot_time == 1 -> don't bother trying to get it again (as it could be
* a slow operation)
*/
if (boot_time == 0) {
}
/*
* Solaris Kerberos
*
* fsync()-less-ness requires safety. If we just booted then we want to
* reject all Authenticators whose timestamps are old enough that we might
* not have fsync()ed rcache entries for them prior to booting. See
* comment above where KRB5_RC_FSYNCLESS_FAST_SKEW is defined. See
* also below, where krb5_rc_io_sync() is called.
*
* If we could tell here the time of the last system crash then we
* could do better because we could know that the rcache has been
* synced to disk. But there's no reliable way to detect past
* crashes in this code; getting the time of boot is hard enough.
*/
if (boot_time > 1 &&
/*
* A better error code would be nice; clients might then know
* that nothing's necessarily wrong with their (or our) clocks
* and that they should just wait a while (or even set their
* clock offset slow so that their timestamps then appear into
* the future, where we'd accept them.
*
* KRB5KRB_AP_ERR_SKEW will just have to do.
*/
return KRB5KRB_AP_ERR_SKEW;
}
if (ret)
return ret;
case CMP_MALLOC:
return KRB5_RC_MALLOC;
case CMP_REPLAY:
return KRB5KRB_AP_ERR_REPEAT;
/* Solaris Kerberos */
case CMP_EXPIRED:
return KRB5KRB_AP_ERR_SKEW;
case 0: break;
default: /* wtf? */ ;
}
#ifndef NOIOSTUFF
if (ret) {
return ret;
}
#endif
/* Shall we automatically expunge? */
{
/* Solaris Kerberos - Expunge calls krb5_rc_io_sync() */
return ret;
}
#ifndef NOIOSTUFF
/* Solaris Kerberos */
{
/*
* fsync() only when necessary:
*
* - on expunge (see above)
* - if we don't know when we booted
* - if rep->ctime is too far into the future
*/
if (krb5_rc_io_sync(context, &t->d)) {
return KRB5_RC_IO;
}
}
#endif
return 0;
}
static krb5_error_code
{
#ifdef NOIOSTUFF
unsigned int i;
struct authlist **q;
struct authlist *r;
/* Solaris Kerberos */
now = 0;
for (q = &t->a; *q; q = qt) {
free(*q);
*q = *qt; /* why doesn't this feel right? */
}
}
for (i = 0; i < t->hsize; i++)
t->h[i] = (struct authlist *) 0;
for (r = t->a; r; r = r->na) {
rt = t->h[i];
t->h[i] = r;
}
return 0;
#else
struct authlist *q;
char *name;
krb5_error_code retval = 0;
if (! t->recovering) {
t->name = 0; /* Clear name so it isn't freed */
if (retval)
return retval;
if (retval)
return retval;
}
/* Solaris Kerberos */
if (retval)
return retval;
if (retval)
goto cleanup;
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
retval = KRB5_RC_IO;
goto cleanup;
}
}
/* NOTE: We set retval in case we have an error */
retval = KRB5_RC_IO;
goto cleanup;
if (krb5_rc_io_sync(context, &t->d))
goto cleanup;
goto cleanup;
retval = 0;
return retval;
#endif
}
{
if (ret)
return ret;
return ret;
}